Coinbase Bug to Provide Unlimited Ethereum

The bug was found by VI Company in December last year
21 March 2018   2633

VI Company reported the discovery of a vulnerability in the system of smart contracts of the Coinbase exchange, which allowed users to credit an unlimited amount of ETH to their accounts. Experts informed the company about the vulnerability in December last year, and in January it was eliminated. For their work, VI Company employees received an award of $ 10,000. This is reported by The Next Web.

By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account. If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want. When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.
 

VI Company Report

In practice, this means that Coinbase users were able to enroll any amount of Ethereum on their accounts.

Researchers provided screenshots showing how Ethereum was credited to their account using the cancellation of the transaction.

Coinbase Bug
Coinbase Bug

Steps to reproduce, provided by the researchers :

  • Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example)
  • Transfer appropriate funds to smart contract.
  • Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
  • Repeat until you have more than enough ethereum in your Coinbase wallet.
  • Cash out, transfer to off site wallet.

Whether any of the users could detect and take advantage of this vulnerability for their own enrichment is unknown.

Coinbase to Pay $1M to Users of Collapsed Cryptsy

Acc/ to the plaintiffs' rep. Cryptsy CEO used Coinbase to launder money of exchange's customers, and Coinbase have should stopped this
14 January 2020   126

Coinbase has settled a dispute with customers of the cryptocurrency exchange Cryptsy that has ceased to exist, CoinDesk writes with reference to documents submitted to the court.

According to the decision, Coinbase will transfer $ 962,500 to the benefit of the escrow agent responsible for resolving the class action lawsuit against Cryptsy. Previously, plaintiffs have already managed to sue 11,325 BTC. A hearing will be held on April 17, 2020, at which it will be decided whether to approve the preliminary agreement or amend its provisions if necessary.

Brandon Leidel, representing the plaintiffs in this class action lawsuit, will receive $ 2,500 compensation for the work done. He sued in 2016, accusing Cryptsy CEO Paul Vernon of using Coinbase to launder millions of dollars owned by trading platform customers.

Leidel, a Cryptsy client in the past, claimed that Coinbase was supposed to actively discourage Vernon’s illegal activities. Coinbase referred to the terms of the user agreement that Vernon signed at the time of registration on the exchange. The court, however, ruled that Cryptsy's customers were not affiliated with Coinbase with the same agreement as Vernon.

When companies go out of business, founders flee the country and the amount at issue is relatively small, most plaintiff law firms would decline to pursue the case. We were the only lawyers in the country to pursue a case against Cryptsy or Coinbase, individually or as a class action, and we were able to obtain multiple meaningful recoveries for victims who would have otherwise been left without any recourse.

 

Marc Vites

Lawyer

Lawyer Marc Vites called the Coinbase and Cryptsy litigation “a tricky business.”