On March 20, 2018, it was revealed that a bug hidden in Coinbase’s Ethereum smart contract setup could have given users access to unlimited amounts of ether. At press time, it does not appear as though the vulnerability was ever exploited or even noticed by users.
The issue was first discovered last December by VI Company, a Dutch firm that specializes in fintech. The company was planning to give its employees ether bonuses in celebration of the upcoming holiday season when researchers noticed the issue with their “ETH receiving code” while garnering funds from a contract. They saw that by using a smart contract, a series of digital wallets could be “tricked” into recording ether transfers and purchases that had never actually happened.
The team issued the following statement in a vulnerability report later published on the firm’s HackerOne account in January 2018:
“By using a smart contract to distribute [ETH] over a set of wallets, you can manipulate the account balance of your Coinbase account. If [one] wallet transaction in the smart contract fails, all transactions before that will be reversed, but on Coinbase, these transactions will not be reversed, meaning a person could add as much Ethereum to their balance as they want.”
The report specified the following steps for taking advantage of the exchange’s weakness:
- Set up a smart contract with a few valid Coinbase wallets and [one] final faulty wallet.
- Transfer appropriate funds to the smart contract.
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
- Repeat until you have more than enough ether in your Coinbase wallet.
- Cash out, transfer to offsite wallet.
Had users noticed the glitch, they could have been able to turn themselves into crypto-billionaires overnight.
The problem was resolved after the team changed the contract handling logic. VI Company claimed there were only “accidental” losses for Coinbase and stated there were no attempts to exploit the vulnerability. Coinbase executives later thanked VI Company’s counterparts by sending them a $10,000 bounty for their work.
Though instances like these are rare, they can occur from time to time. In February 2018, popular Japanese exchange Zaif aroused heavy controversy after a bug was exposed that allowed users to purchase bitcoin through its system at no charge. Representatives of the company claimed the error occurred within its “price calculation system” and that seven transactions had occurred where customers bought bitcoin for zero yen. Six of these transactions were later reversed.
Zaif’s parent company, Tech Bureau Corp, had faced several checks the previous month after regulators claimed it was vulnerable to cyberattacks. The exchange later apologized to users, saying the problem would not affect individual customer amounts. Zaif is one of a small handful of cryptocurrency trading platforms currently registered with the Japanese government.