Last Christmas the company VI/Company detected a vulnerability in the Coinbase platform that affected the wallets of Ethereum. This error was reported to the cryptocurrency purchase platform, which has rewarded VI/Company with $10,000.
The security error came from executing a smart contract in the main network of the ethereum blockchain and it was discovered when the VI/Company team was testing the network. They observed that when sending several Ethereum shipments to different wallets an error was found which invalidated the transaction and returned the ethereum (as normal).
One of the workers of this company who made a failed shipment in Ethereum detected that, according to the Ethereum network, the transaction was invalidated by an error and he received back the Ethereum transaction.
The company decided to continue testing and investigating until they verified that every time they did this transaction in a Coinbase wallet, they could send Ethereum and take advantage of the error that returned the transaction to the original wallet while also receiving it in the Coinbase wallet.
How do you warn Coinbase of an error?
The VI/Company team had doubts on how to communicate Coinbase about the discovery of their vulnerability and decided to do so through HackerOne – a vulnerability and rewards coordination platform that connects businesses with cybersecurity researchers.
Through this platform VI/Company and Coinbase were in contact and began working together to solve this problem. Once fixed, Coinbase reached an agreement with VI/Company to not disclose the findings of the vulnerability until after the 21st of March.
Companies that are registered with HackerOne, have the possibility of financially rewarding those who detect security failures and inform them to find a solution. That is why they rewarded VI/Company with $10,000 for the vulnerability they helped them find and correct.
On the HackerOne website and once the bug was fixed, a small guide was given on what should have been done to take advantage of this error.
Steps To Reproduce:
- Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example).
- Transfer appropriate funds to smart contract.
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
- Repeat until you have more than enough ethereum in your Coinbase wallet.
- Cash out, transfer to off site wallet