Coinbase Bug to Provide Unlimited Ethereum

The bug was found by VI Company in December last year
21 March 2018   259

VI Company reported the discovery of a vulnerability in the system of smart contracts of the Coinbase exchange, which allowed users to credit an unlimited amount of ETH to their accounts. Experts informed the company about the vulnerability in December last year, and in January it was eliminated. For their work, VI Company employees received an award of $ 10,000. This is reported by The Next Web.

By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account. If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want. When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.
 

VI Company Report

In practice, this means that Coinbase users were able to enroll any amount of Ethereum on their accounts.

Researchers provided screenshots showing how Ethereum was credited to their account using the cancellation of the transaction.

Coinbase Bug
Coinbase Bug

Steps to reproduce, provided by the researchers :

  • Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)
  • Transfer appropriate funds to smart contract.
  • Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
  • Repeat until you have more than enough ethereum in your Coinbase wallet.
  • Cash out, transfer to off site wallet.

Whether any of the users could detect and take advantage of this vulnerability for their own enrichment is unknown.

Coinbase Acquires Earn.com Project

Earn’s co-founder and CEO will join Coinbase as the company’s first Chief Technology Officer
17 April 2018   156

On April 16, Coinbase cryptocurrency exchange has announced the acquisition of another startup they found promising. Earn.com is a projects which is developing an app which should allow senders to pay users in digital currency for replying to emails and completing tasks.

A week ago we reported about the launch of Coinbase Ventures, whose goal is to help the most compelling companies to flourish, and yesterday we found out that Coinbase buys the open source, decentralized application and wallet, Cipher Browser.

Coinbase and Earn collaborationCoinbase and Earn collaboration

Moreover, along with Earn.com acquisition, Coinbase also welcomed Earn’s co-founder and CEO, Balaji Srinivasan, who will join Coinbase as the company’s first Chief Technology Officer (CTO).

Over the last several years, the primary way most people have obtained cryptocurrency is through buying it, with many of these transactions facilitated by Coinbase. With this acquisition, we allow users to also earn crypto by doing things they already know how to do — like replying to emails and filling out surveys.
 

Earn.com announcement

For the users of Earn.com, everything will continue as before in the short term, with one exception as Earn.com has put the token launch on the back burner and plans to focus on integrating with Coinbase’s infrastructure and scaling up the service.