{"id":4508,"date":"2018-03-26T00:00:00","date_gmt":"2018-03-26T00:00:00","guid":{"rendered":"https:\/\/crypto-economy.com\/2018\/03\/26\/detected-vulnerability-in-coinbase-allowed-to-extract-ethereum\/"},"modified":"2023-04-03T11:53:36","modified_gmt":"2023-04-03T11:53:36","slug":"detected-vulnerability-in-coinbase-allowed-to-extract-ethereum","status":"publish","type":"post","link":"https:\/\/crypto-economy.com\/detected-vulnerability-in-coinbase-allowed-to-extract-ethereum\/","title":{"rendered":"Detected vulnerability in Coinbase allowed to “extract” Ethereum"},"content":{"rendered":"

Last Christmas the company VI\/Company<\/a><\/strong> detected a vulnerability in the Coinbase<\/a><\/strong> platform that affected the wallets of Ethereum<\/a><\/strong>. This error was reported to the cryptocurrency purchase platform, which has rewarded VI\/Company with $10,000.<\/p>\n

The security error came from executing a smart contract in the main network of the ethereum blockchain<\/strong> and it was discovered when the VI\/Company team was testing the network. They observed that when sending several Ethereum shipments to different wallets an error was found which invalidated the transaction and returned the ethereum (as normal).<\/p>\n

One of the workers of this company who made a failed shipment in Ethereum detected that, according to the Ethereum network, the transaction was invalidated by an error and he received back the Ethereum transaction.<\/p>\n

The company decided to continue testing and investigating until they verified that every time they did this transaction in a Coinbase wallet, they could send Ethereum and take advantage of the error that returned the transaction to the original wallet while also receiving it in the Coinbase wallet.<\/p>\n

How do you warn Coinbase of an error?<\/h2>\n

\"Coinbase\"The VI\/Company team had doubts on how to communicate Coinbase about the discovery of their vulnerability and decided to do so through HackerOne – a vulnerability and rewards coordination platform that connects businesses with cybersecurity researchers.<\/p>\n

Through this platform VI\/Company and Coinbase were in contact and began working together to solve this problem. Once fixed, Coinbase reached an agreement with VI\/Company to not disclose the findings of the vulnerability until after the 21st of March.<\/p>\n

Companies that are registered with HackerOne, have the possibility of financially rewarding those who detect security failures and inform them to find a solution. That is why they rewarded VI\/Company with $10,000 for the vulnerability they helped them find and correct.<\/p>\n

On the HackerOne website and once the bug was fixed, a small guide<\/a><\/strong> was given on what should have been done to take advantage of this error.<\/p>\n

Steps To Reproduce:<\/strong><\/p>\n