By William Suberg; Coinbase Bug Allowed Users To Steal Unlimited ETH, Wallet Paid $10K Bounty For Discovery
COINTELEGRAPH
()
Major US crypto wallet provider and exchange service Coinbase has rewarded a Dutch company with a $10,000 bounty after it discovered a smart contract glitch allowing users to steal “as much as they want” in Ethereum (ETH), according to a report made public today, March 21.
The issue, which VI Company reported to Coinbase December 27 of last year, revolved around exploiting a smart contract that involved a faulty wallet.
Users were technically able to credit themselves with unlimited ETH funds. “By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account,” VI Company described in the report, continuing:
“If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want.”
Coinbase has faced continued technical difficulties for almost a year. Since a mass influx of new users in mid-2017, the US’ largest exchange and wallet provider’s technical capabilities have been stretched, resulting in delayed and missing funds, system outages and other problems.
Despite promises to beef up performance, the reaction to a bug that could technically have drained billions of dollars in cryptocurrency is telling; Coinbase only fixed the issue a month after the original report on January 26.
“Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts,” it wrote as part of its commentary.
Loopholes of this type have previously affected major businesses interacting with cryptocurrency. In January, Cointelegraph reported on a website glitch at Overstock.com, which allowed users to pay and request refunds in either Bitcoin (BTC) or Bitcoin Cash (BCH), resulting variously in huge savings or huge profits. Overstock uses Coinbase’s merchant integration API.