Coinbase Bug to Provide Unlimited Ethereum

The bug was found by VI Company in December last year
21 March 2018   1795

VI Company reported the discovery of a vulnerability in the system of smart contracts of the Coinbase exchange, which allowed users to credit an unlimited amount of ETH to their accounts. Experts informed the company about the vulnerability in December last year, and in January it was eliminated. For their work, VI Company employees received an award of $ 10,000. This is reported by The Next Web.

By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account. If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want. When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.
 

VI Company Report

In practice, this means that Coinbase users were able to enroll any amount of Ethereum on their accounts.

Researchers provided screenshots showing how Ethereum was credited to their account using the cancellation of the transaction.

Coinbase Bug
Coinbase Bug

Steps to reproduce, provided by the researchers :

  • Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)
  • Transfer appropriate funds to smart contract.
  • Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
  • Repeat until you have more than enough ethereum in your Coinbase wallet.
  • Cash out, transfer to off site wallet.

Whether any of the users could detect and take advantage of this vulnerability for their own enrichment is unknown.

Coinbase to Appear in San Francisco District Court

Exchange representatives must appear in court due to issues related to BCH trading launch in 2017
07 August 2019   194

San Francisco District Court judge Vince Chhabria ruled that the latter showed negligence and “clear incompetence generated by haste” when it started trading in Bitcoin Cash (BCH) on Coinbase. Now Coinbase, apparently, will be forced to stand trial, Bloomberg reports.

So, at the end of 2017, the exchange opened BCH trading, but was forced to suspend operations after 2 minutes due to high volatility and suspicious price increases - the coin began to grow rapidly several hours before the announcement of Coinbase.

Then the company was accused of insider trading, later crypto enthusiasts even began to find confirmation of this.

According to the judge, the users who bought VSN at inflated prices were primarily affected. He noted that the suspension of trading was too hasty and disrupted the normal functioning of the market.

BCH buyers claim that Coinbase could have announced a bid in advance to prevent a price spike, but it did not. The judge agreed with this opinion and noted that shortly before the launch of BCH trading on Coinbase, the Chicago Mercantile Exchange opened trading in bitcoin futures, which could become a factor of too much market participants' recovery.

According to the publication, Coinbase has not yet commented on the court decision.

Recall that in March 2018, a class action lawsuit was filed against the company, in which Coinbase was accused of “artificially overpricing” Bitcoin Cash through trading based on insider data.