Coinbase Survives “Market-nuking” Bug in Latest CEX Failing
Cash.Tech Newsletter #18: Coinbase saved from critical vulnerability as investors embrace self-custodial options
What would you do if you discovered a way to sell 50 SHIB (worth $0.002) and receive 50 BTC (worth $1,900,000)? A registered user found out exactly how to do so on the Coinbase exchange, but chose to responsibly disclose the vulnerability instead of exploiting it for personal gains. Finding such a massive loophole in one of the most prominent centralized exchange (CEX) venues lends further credence to ongoing campaigns for users to move their assets to self-custodial solutions.
In this week’s Cash.Tech Newsletter, we bring you a roundup of the Coinbase bug story, and highlight basic ways that you can stay protected while using a centralized trading platform (if you must). As usual, here’s a quick breakdown of what we have been working on in the past week.
Cash.Tech development update
The Cash.Tech team is pleased to report another largely successful week of development work on the Merchant Protocol. This week, we completed designs for the merchant product catalog as well as finalized requirements for the product payment process.
Another significant progress made in the past week involves a key decision regarding the best storage mechanism for transacted product data. Following rigorous research and deliberations, the Cash.Tech team has elected to store transacted product data on the blockchain. Such data which includes buyer and merchant addresses, product descriptions and prices will be stored on the blockchain to serve as a source of truth and aid the quick resolution of trading disputes.
In the week ahead, the team will continue developing the merchant registration process and payment listing features of the Merchant Protocol. We are also working towards getting the latest Cash.Tech Wallet version listed on the Apple Store and will keep the community updated on our progress.
Coinbase survives bug scare in build-up to Super Bowl moment
Publicly-traded cryptocurrency exchange company Coinbase is one of the few remaining centralized exchanges that have never suffered a large-scale security breach. Statistics show that over $1.3 billion has been lost to security breaches on centralized exchanges in the past decade.
Coinbase’s clean slate was almost tainted after an advanced user discovered a critical vulnerability on the Coinbase Advanced Trading platform. Coinbase launched the advanced trading functionality in beta mode last November, revealing plans to gradually roll it out to its user base of over 73 million customers.
An unidentified user with the Twitter handle Tree_of_Alpha reported on February 11, 2022 that they discovered a potentially “market-nuking” vulnerability on the Coinbase Advanced Trading platform. The urgent tone conveyed in the tweet meant that the community was quick to link the trader to the Coinbase team, allowing for a quick fix of the security issue. Thereafter, the public was largely kept in the dark regarding the severity of the bug, until February 19, 2022 when Coinbase published a retrospective report.
As per Coinbase, the “market-nuking” loophole involved a missing API validation check service. By design, the advanced trading platform should allow users to trade only assets they hold on their account. However, the missing validation check created a loophole for traders to sell one asset using another. For instance, a user could set a sell order for 50 BTC worth ($1,900,000) even though they only had 50 SHIB (worth $0.002). As confirmed by Tree_of_Alpha during a test, a faulty order was passed onto the global Coinbase order book and could be filled given the platform’s deeply liquid Bitcoin market.
If this critical vulnerability had ended up in the hands of a black hat hacker, it is not hard to imagine the cascading effects it would have had on all Coinbase users and investors, as well as the nascent $2 trillion dollar crypto market. The bad actor could have potentially earned millions, if not billions, by creating market panic around the bug discovery while simultaneously shorting the crypto market as well as Coinbase’s stock.
The amount of value at risk caused onlookers to question the size of the $250,000 bounty which Coinbase handed out to the white hat hacker as a reward. Only a few days after the incident Coinbase splashed over $14 million on a super bowl ad that directed an estimated 20 million users to their website in a minute. One might easily argue that the now famous ad would probably have been canceled or yielded less results if Coinbase was hacked a few days earlier.
Although the white hat’s responsible disclosure saved Coinbase users and investors from severe losses, it served as a reminder of why crypto investors are often better off holding the private keys to their assets.
Self-custodial crypto wallet solutions are invaluable
At this time, centralized exchanges still handle the majority of the global crypto trading volume. However, the risks associated with storing assets on such third-party websites is one that industry participants must recognize. The risks are further aggravated by recent developments around government confiscation of crypto assets stored on exchanges.
Users can mitigate such risks by choosing to store the majority of their frequently transacted crypto assets using a self-custodial option like the Cash.Tech Wallet. Cash.Tech’s DeFi integration also supports the trading of crypto assets using decentralized exchanges, meaning users only need to use centralized venues on rare occasions.
Cash.Tech is already live on Mainnet for Android and iOS users. Android users can now access the app on Google Playstore, with the iOS version coming to the Apple Store in the coming weeks! Apple Users can access Cash.Tech via https://testflight.apple.com/join/In3h8jr9.