An interesting post has surfaced on Reddit, detailing how one former Coinbase user helped the company fix a major financial exploit. While that might not be something out of the ordinary, Coinbase ended up closing the user’s account after his help. Even though he was paid a small bug bounty for his findings – and never used Coinbase for buying or selling BTC – the company effectively banned the user for an unknown reason.
Coinbase Fixes Infinite Bitcoin Withdrawal Exploit
Based on the detailed report found on Reddit, Coinbase was – at one time – facing a severe exploit that could have bankrupted the company. The company’s “Vault” service, which is used by many people to store bitcoins in a safe and secure manner, has not always been without flaws or vulnerabilities
The Reddit user, who goes by the name of David Jones mentioned how he was able to withdraw infinite amounts of Bitcoin from CoinBase Vault, even if he did not own those coins to begin with. No user should be able to create a negative balance on the platform, yet a screenshot shows how this was possible at one point. It goes without saying that public knowledge of this exploit could have cost Coinbase several millions of dollars.
Instead of using this exploit for nefarious purposes, Mr. Jones reported the incident to Coinbase as part of the company’s bug bounty program. After a thorough step-by-step explanation of how this vulnerability could be exploited, Coinbase managed to fix the problem and rewarded the user with a US$5,000 bounty. Some people might say the reward should have been substantially higher, though.
It didn’t take long for things to take a turn for the worst, as Coinbase then proceeded to lock David’s account without any warning or responding to support tickets. As a result, the user could no longer withdraw any funds from Coinbase. Not exactly the attitude one would come to expect from a company that could have lost millions, but was fortunate enough to have one user report the issue.
But that isn’t the worst part, as a very similar exploit to the first one was discovered shortly afterwards by the same user! Coinbase marked this second exploit as “informative”. According to David:
When i discovered the second exploit they stopped responding to me for months, and after their response for more info on the exploit they had banned my account.
When the user asked for an explanation as to why his account was banned, he received the following response:
Mr. Jones explains that he believes the reason Coinbase banned him was because they didn’t want to pay out the second bounty.
It’s like they didn’t want me to provide them more info, they knew i couldn’t access my account because of the ban. The only reason i think they would ban me is to avoid me fully confirming the second exploit and getting paid another bounty. With their request for “more info” they already knew and had fixed the bug, when i tried to reproduce it with another account, so i think they just asked for more info to avoid paying me the second bounty, fully knowing i was banned.
In response, Charlie Lee, Director of Engineering at Coinbase said that the account ban wasn’t due to the user’s bug reporting. He also summarized the exploit as follows:
- User has a vault with 2 BTC and a wallet with 0 BTC.
- User withdraws 2 BTC from his vault to his wallet.
- Withdrawal clears. (vault: 0 BTC, wallet: 2 BTC)
- User withdraws 2 BTC from wallet to an external address. (vault: 0 BTC, wallet: 0 BTC)
- Bug allowed user to cancel the previously cleared vault withdrawal. (vault: 2 BTC, wallet: -2 BTC)
- User can now withdraw 2 BTC from vault to a 2nd wallet. (vault: 0 BTC, wallet: -2 BTC, wallet-b: 2 BTC)
On the surface, it looks like an infinite btc withdrawal bug. In reality, we have protection in place to prevent us from losing money due to all bugs similar to this one. I actually coded this myself years ago when we started allowing multiple accounts per user. The protection is such that if user has ANY account that has a negative value, we will block ANY external sends.
All in all the exploit did not cause any actual losses and the user was never able to withdraw more bitcoins than he had. So, in the eyes of Charlie Lee a $5000 reward seemed like a more than reasonable amount for essentially a front end bug.
Bug Bounties Are Key To Making Bitcoin Platforms More Secure
Over the past six years, various Bitcoin companies and platforms have become the target of exploits and hacking attempts. In a few cases, user funds have been stolen, and bug bounty programs could have prevented most of those issues. The attitude shown by Coinbase is, even though this is an unconfirmed and one-sided report, anything but professional.
Without users identifying and reporting bugs, there will always be a chance for user funds to be stolen by assailants. This is not beneficial to the Bitcoin ecosystem, as users are taking the full responsibility for their financial wealth at any given time. We can only hope more companies show their true appreciation when users identify key problems that could turn out to be very costly.