The Dutch firm, VI Company, was instrumental in identifying a Coinbase exploit that was – until today – largely unknown.
Disclosed via the vulnerability tracking and coordination platform HackerOne, researchers at VI Company described the issue as follows: "By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account."
VI Company's posting continues:
"If one of the internal transactions in the smart contract fails, all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want."
The sensitive nature of this exploit, discovered last December, was handled with professionalism. Rather than causing a panic by going public, the Rotterdam-based researchers contacted Coinbase's security team privately on December 27, 2017.
Discovering The Bug
While conducting tests on the Ethereum blockchain mainnet for an unrelated project during the winter holidays, the VI Company team inadvertently came across the vulnerability. Programmer and researcher Jesse Lakerveld described discovering the exploit:
" During this [unrelated testing], we had some wallets which returned an error when we tried sending Ethereum there. This, in turn, stopped the execution of the smart contract and reversed all transactions as we expected it to do. What we didn't expect was that one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum. After checking, we found out that no Ethereum had been sent to our colleague according to the smart contract. But according to his Coinbase wallet, he did receive it."
According to Lakerveld, the VI Company first "wrote this off as an odd bug that happens from time to time."
Unable to shake what he had seen, Lakerveld – now aided by two of his fellow colleagues – set out to reproduce the error. "After some small-scale testing with a different smart contract with two Coinbase wallets, one normal Ethereum wallet and one other smart contract … the transaction [crashed] when Ethereum was sent there. Lo and behold we could reliably reproduce this bug and add Ethereum to our Coinbase wallets without ever sending any."*
Disclosing the Bug
Once the team realized the magnitude of the bug they had discovered, they were confronted with the problem of how to let Coinbase know. "You can imagine that some companies might not be very happy if you post stuff like this in public," continued Lakerveld.
After alerting Coinbase via HackerOne last December, Lakerveld spent the next few weeks working with Coinbase's security team to test and fix the exploit. Roughly a month later, the exploit had been fixed in what Coinbase describes as a change to the "contract handling logic." On January 25, 2018, Coinbase rewarded VI Company with a bounty of $10,000 for its work discovering the bug.
After the exploit was resolved, VI Company was asked not to go public with information about the exploit until today, March 21, 2018, for reasons still unknown. Thus, the researchers also helped preserve Coinbase's reputational capital.
ETHNews had previously covered troubles at Coinbase during December of last year that may have contributed to the decision to keep this particular vulnerability concealed until now.
In the shadowy world of cryptocurrency exploits, this particular bug was so significant, that perhaps it's better people didn't know it existed until after it had been resolved. As with so much of the momentum in the cryptospace right now, this is an example of how contract security is becoming increasingly important.
* It should be noted that from the published statements on this matter ETHNews was unable to clearly discern whether the funds transferred in this scenario were being sent from an external wallet address, or from another Coinbase wallet.