Overstock unwittingly processed bitcoin cash as having an identical value to bitcoin, effectively allowing customers of the e-commerce giant up to an 85 percent discount on cryptocurrency purchases.
As tested by expert security investor Brian Krebs, the glitch allowed customers to use bitcoin and bitcoin cash interchangeably, profiting the difference between the two when paying in bitcoin cash. The difference is approximately 85 percent if bitcoin is worth $14,000 and bitcoin cash is trading around $2,400.
In addition, should the customer then have had a change of heart and requested a refund, Overstock would have refunded the full worth of the item in bitcoin.
For example, if Harry were to treat himself to a new gas grill worth $400, he could essentially have bought it for only $60 using bitcoin cash, and kept the other $340 for himself. If his wife had happened to catch wind of the purchase and demanded he cancel the order, he would have received a full $400 back in bitcoin, essentially profiting a clean $360 from the transaction.
As Krebs pointed out in his post, if someone were to place and then cancel an order for a $100,000 diamond ring, having paid only 15 percent of the amount by using bitcoin cash, the site would refund the full $100,000 in bitcoin – allowing that person to profit a staggering $85,000 in a matter of minutes.
Coinbase and Overstock just fixed a bug I helped to report that let anyone buy items at ~15% of listed price by paying in bitcoin cash (BCH) instead of bitcoin (BTC). Worse, refunds for items purchased w/ BCH were refunded in BTC! Crypto-alchemy! https://t.co/1YHGI1ibHb
— briankrebs (@briankrebs) January 9, 2018
Although the glitch existed for only three weeks, it is unthinkable what could have been accomplished during this time should it have been noticed and taken advantage of by the wrong person.
According to Brian Krebs, the alarming issue was initially discovered on by JB Snyder, the owner of Bancsec. As Snyder’s company specializes in finding fault with banks’ existing security protocols, he realized the severity of the problem immediately as he completed his transaction, after which he contacted Krebs to investigate the issue.
When Krebs tested the fault by purchasing three solar lamps for $78.27 in total, he saw that Snyder’s findings were correct and that Overstock’s check-out page was quite happy to accept bitcoin cash in place of bitcoin without correcting the amount of the currency required.
Unwilling to steal from the online retail store, Krebs canceled the order, only to be surprised when the refund was returned to him in bitcoin instead of bitcoin cash.
Overstock made the following statement after being contacted by Krebs about the glitch, saying that it had not made any changes on its side and that Coinbase had resolved the issue.
“We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue. We have since confirmed that the issue described in the finding has been resolved, and the cryptocurrency payment option has been re-enabled.”
The statement continued:
“After being made aware of an issue in our joint refund processing code on Saturday, Coinbase and Overstock worked together to deploy a fix within hours. While a patch was being developed and tested, orders were proactively disabled to protect customers. To our knowledge, a very small number of transactions were impacted by this issue. Coinbase actively works with merchant partners to identify and solve issues like this in an ongoing, collaborative manner and since being made aware of this have ensured that no other partners are affected.”
Following the discovery, both Snyder and Krebs individually checked all other merchants that use Coinbase for their cryptocurrency payment offering, and collectively found that the issue was not present with any other platform.
According to Coinbase, the glitch was a result of “the merchant partner improperly using the return values in the merchant integration API.” Additionally, the exchange stated that no other merchant had been affected by this problem, a fact independently confirmed by Krebs and Snyder’s investigation.