Coinbase, one of the world’s most popular cryptocurrency exchanges, has had a nasty bug lurking in its system that would allow users to collect unlimited ether through a few simple steps. Thanks to a bug report, however, the company avoided disaster.
A Dutch FinTech company, VI Company, publicly disclosed a Coinbase bug on March 20. According to the vulnerability report, a custom built smart contract with a string of digital wallets could be manipulated into tricking Coinbase algorithms that a transfer had taken place.
The Ethereum blockchain is deemed in some ways superior to Bitcoin’s due to its usage of smart contracts. For non-specialists, a smart contract is a set of if/then conditions regulating the transfer of an underlying asset/fund/security.
To build familiarity with smart contracts amongst its employees, VI Company initiated a unique Christmas present in 2017. The smart contract would reward employees with a small amount of ether as means of festive Bonus on Christmas. However, the company noticed a bug.
In a smart contract, in case one of the internal transactions of the contract failed, all the transactions would be reversed, which is how the smart contract should work. But employees with knowledge of the project found out that Coinbase’s internal accounts didn’t register the reversal. Hence, the Coinbase software thought that wallet had been credited with additional ether, but in reality, the wallet would have no deposit made.
A screenshot of its transactions was made available to the public by VI Company, which also outlined the steps which allowed for an unlimited amount of ETH to be credited :
- Setup a smart contract with a few valid Coinbase wallets and [one] final faulty wallet,
- Transfer appropriate funds to smart contract,
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet,
- Repeat until you have enough ETH on your Coinbase wallet,
- Cash out.
So Did You Miss a Once-in-a-lifetime Chance to Collect the World’s ETH Reserves?
To put things into perspective, accounts from Coinbase would show the funds as “present,” even though they were never transferred to the wallet. The ETH that could be collected was just part of Coinbase’s records.
- There was no way of getting an infinite amount of ETH; you could have only moved all of Coinbase’s ETH into your own Coinbase Ethereum wallet.
- Stealing this money would be practically impossible because it would mean moving millions of ETH into your coinbase wallet. To withdraw any meaningful amount, you’d have to give Coinbase your ID in which case you would be arrested for the theft in no time.
Also, for an exchange handling $20 billion, Coinbase surely has some kind of mechanism in place that prevents a large amount of ETH moving from their cold storage wallet; this would also limit the amount of ETH that could be withdrawn.
While this particular bug was difficult to exploit without getting caught, it just goes to show that even the most secure crypto exchanges have bugs that can be exploited. VI Company received a $10,000 bounty from Coinbase for exposing the vulnerability. As of now, there are no reports of anyone successfully taking advantage of this bug and making money out of it.