Retrospective: Recent Coinbase Bug Bounty Award
At Coinbase, our number one priority is ensuring that we uphold our security commitments to our customers. On February 11, 2022, we received a report from a third-party researcher indicating that they had uncovered a flaw in Coinbase’s trading interface. We promptly mobilized our security incident response team to identify and patch the bug, and resolved the underlying system issue without any impact to customer funds.
This blog post provides a deeper look into the timeline of events surrounding the bug report, as well as an explanation of the bug itself and the steps we took to resolve it and ensure it cannot happen again.
Timeline
(note, all events occurred on February 11, 2022, and all times are in PST)
- 10:16 AM: A member of the crypto community tweets that they have uncovered a serious flaw in the Coinbase trading interface, and requests contacts in the Coinbase Security team.
- 11:00 AM: Based on limited initial information provided by intermediaries, Coinbase Security declares an incident and mobilizes engineering resources to begin testing all trading interfaces to determine the validity of the alleged bug.
- 11:21 AM: The crypto researcher files a vulnerability report via HackerOne, Coinbase’s bug bounty platform, indicating that the flaw resides in a specific API for Retail Advanced Trading. Coinbase engineers also complete a review of all other user interfaces and Coinbase Exchange APIs and determine that they are not impacted.
- 11:42 AM: Coinbase engineers are able to reproduce the bug, and the Retail Advanced Trading platform is placed into cancel-only mode, disabling new trades.
- 4:01 PM: A patch is validated and released, resolving the incident.
Root Cause
The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account. This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release.
To give an example:
- A user has an account with 100 SHIB, and a second account with 0 BTC.
- The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.
- Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade.
- As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange.
There were mitigating factors that would have limited the impact of this flaw had it been exploited at scale. For example, Coinbase Exchange has automatic price protection circuit breakers, and our trade surveillance team continuously monitors our markets for health and anomalous trading activity.
Conclusion
Thanks to the researcher who responsibly disclosed this issue, Coinbase was able to fix this bug in a matter of hours, and conclusively determine that it has never been maliciously exploited. We have also implemented additional checks to ensure that it cannot happen again.
Coinbase strongly supports independent security research, and when those researchers uncover serious issues, we want to ensure that they are rewarded accordingly. As a result, we are paying our largest-ever bug bounty for this finding: $250,000.
We welcome future submissions from this researcher and others via our HackerOne program: https://hackerone.com/coinbase.
Retrospective: Recent Coinbase Bug Bounty Award was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.