Retrospective: Recent Coinbase Bug Bounty Award | by Coinbase | Feb, 2022

At Coinbase, our primary precedence is guaranteeing that we uphold our safety commitments to our prospects. On February 11, 2022, we acquired a report from a third-party researcher indicating that they’d uncovered a flaw in Coinbase’s buying and selling interface. We promptly mobilized our safety incident response group to determine and patch the bug, and resolved the underlying system difficulty with none affect to buyer funds.

This weblog put up gives a deeper look into the timeline of occasions surrounding the bug report, in addition to a proof of the bug itself and the steps we took to resolve it and guarantee it can not occur once more.

(observe, all occasions occurred on February 11, 2022, and all instances are in PST)

• 10:16 AM: A member of the crypto neighborhood tweets that they’ve uncovered a severe flaw within the Coinbase buying and selling interface, and requests contacts within the Coinbase Safety group.
• 11:00 AM: Based mostly on restricted preliminary data supplied by intermediaries, Coinbase Safety declares an incident and mobilizes engineering assets to start testing all buying and selling interfaces to find out the validity of the alleged bug.
• 11:21 AM: The crypto researcher information a vulnerability report by way of HackerOne, Coinbase’s bug bounty platform, indicating that the flaw resides in a selected API for Retail Superior Buying and selling. Coinbase engineers additionally full a overview of all different person interfaces and Coinbase Change APIs and decide that they aren’t impacted.
• 11:42 AM: Coinbase engineers are capable of reproduce the bug, and the Retail Superior Buying and selling platform is positioned into cancel-only mode, disabling new trades.
• 4:01 PM: A patch is validated and launched, resolving the incident.

The underlying explanation for the bug was a lacking logic validation examine in a Retail Brokerage API endpoint, which allowed a person to submit trades to a selected order e book utilizing a mismatched supply account. This API is simply utilized by our Retail Superior Buying and selling platform, which is at present in restricted beta launch.

To offer an instance:

• A person has an account with 100 SHIB, and a second account with 0 BTC.
• The person submits a market order to the BTC-USD order e book to promote 100 BTC, however manually edits their API request to specify their SHIB account because the supply of funds.
• Right here, the validation service would examine to find out whether or not the supply account had a enough steadiness to finish the commerce, however not whether or not the supply account matched the proposed asset for submitting the commerce.
• In consequence, a market order to promote 100 BTC on the BTC-USD order e book could be entered on the Coinbase Change.

There have been mitigating elements that may have restricted the affect of this flaw had it been exploited at scale. For instance, Coinbase Change has computerized worth safety circuit breakers, and our commerce surveillance group constantly screens our markets for well being and anomalous buying and selling exercise.

Because of the researcher who responsibly disclosed this difficulty, Coinbase was capable of repair this bug in a matter of hours, and conclusively decide that it has by no means been maliciously exploited. We have now additionally carried out further checks to make sure that it can not occur once more.

Coinbase strongly helps impartial safety analysis, and when these researchers uncover severe points, we wish to be sure that they’re rewarded accordingly. In consequence, we’re paying our largest-ever bug bounty for this discovering: $250,000.

We welcome future submissions from this researcher and others by way of our HackerOne program: https://hackerone.com/coinbase.