According to a company blog article, Tree of Alpha reported the vulnerability to the company on the evening of February 11. He wrote that “he urgently needed to talk to Coinbase managers or developers, as the problem could not wait. Exchange specialists contacted the hacker and began work on fixing the vulnerability.
The bug was found in a new trading function in the beta version of the site. A hacker using two accounts on the exchange could place orders to sell cryptocurrency using balances in other coins. That is, for example, he could “sell” 100 BTC, although his account would only have 100 SHIB.
“A user sent a market order in a BTC/USD pair to sell 100 BTC, but by manually adjusting the request in the platform’s API, used an account with a balance in SHIB as the source of funds. Accordingly, an order to sell 100 bitcoins would appear in the order book.”Exchange representatives
Coinbase paid Tree of Alpha a reward of $250,000 for discovering the vulnerability. The hacker noted that he discovered the vulnerability by accident – he managed to sell 0.0243 BTC using a similar amount of ETH on his wallet. He found out that the order was really executed by the site engine and contacted the exchange.
Recall that Coinbase shut down trading on the Advanced Trading platform after the vulnerability was reported.
Note, the man found the vulnerability, and immediately reported it to the managers of the exchange, not used to take advantage of it. What do you think would have happened if he hadn’t reported it? I’m waiting for your suggestions in your comments.