Retrospective: Recent Coinbase Bug Bounty Award

At Coinbase, our primary precedence is guaranteeing that we uphold our safety commitments to our clients. On February 11, 2022, we acquired a report from a third-party researcher indicating that they’d uncovered a flaw in Coinbase’s buying and selling interface. We promptly mobilized our safety incident response crew to determine and patch the bug, and resolved the underlying system subject with none impression to buyer funds.

This weblog publish offers a deeper look into the timeline of occasions surrounding the bug report, in addition to a proof of the bug itself and the steps we took to resolve it and guarantee it can not occur once more.

Timeline

(word, all occasions occurred on February 11, 2022, and all occasions are in PST)

• 10:16 AM: A member of the crypto neighborhood tweets that they’ve uncovered a critical flaw within the Coinbase buying and selling interface, and requests contacts within the Coinbase Security crew.
• 11:00 AM: Based on restricted preliminary info offered by intermediaries, Coinbase Security declares an incident and mobilizes engineering sources to start testing all buying and selling interfaces to find out the validity of the alleged bug.
• 11:21 AM: The crypto researcher recordsdata a vulnerability report by way of HackerOne, Coinbase’s bug bounty platform, indicating that the flaw resides in a selected API for Retail Advanced Trading. Coinbase engineers additionally full a assessment of all different consumer interfaces and Coinbase Exchange APIs and decide that they don’t seem to be impacted.
• 11:42 AM: Coinbase engineers are capable of reproduce the bug, and the Retail Advanced Trading platform is positioned into cancel-only mode, disabling new trades.
• 4:01 PM: A patch is validated and launched, resolving the incident.

Root Cause

The underlying reason behind the bug was a lacking logic validation test in a Retail Brokerage API endpoint, which allowed a consumer to submit trades to a selected order e-book utilizing a mismatched supply account. This API is simply utilized by our Retail Advanced Trading platform, which is presently in restricted beta launch.

To give an instance:

• A consumer has an account with 100 SHIB, and a second account with 0 BTC.
• The consumer submits a market order to the BTC-USD order e-book to promote 100 BTC, however manually edits their API request to specify their SHIB account because the supply of funds.
• Here, the validation service would test to find out whether or not the supply account had a adequate steadiness to finish the commerce, however not whether or not the supply account matched the proposed asset for submitting the commerce.
• As a end result, a market order to promote 100 BTC on the BTC-USD order e-book can be entered on the Coinbase Exchange.

There had been mitigating elements that might have restricted the impression of this flaw had it been exploited at scale. For instance, Coinbase Exchange has automated value safety circuit breakers, and our commerce surveillance crew constantly displays our markets for well being and anomalous buying and selling exercise.

Conclusion

Thanks to the researcher who responsibly disclosed this subject, Coinbase was capable of repair this bug in a matter of hours, and conclusively decide that it has by no means been maliciously exploited. We have additionally applied further checks to make sure that it can not occur once more.

Coinbase strongly helps unbiased safety analysis, and when these researchers uncover critical points, we wish to be certain that they’re rewarded accordingly. As a end result, we’re paying our largest-ever bug bounty for this discovering: $250,000.

We welcome future submissions from this researcher and others by way of our HackerOne program: https://hackerone.com/coinbase.

Retrospective: Recent Coinbase Bug Bounty Award was initially printed in The Coinbase Blog on Medium, the place persons are persevering with the dialog by highlighting and responding to this story.