Cryptocurrency is often touted as the next monetary replacement, but we have a ways to go until the technology is fully ready or stable. Here’s the bitcoin bug that could have upset the entire market.
A few weeks ago, Coinbase.com awarded their largest ever bug bounty to “Tree of Alpha” (Twitter) for finding a huge exploit that would have allowed a malicious user to sell BTC or ANY other coin without even owning the asset.
At first, our friend ‘Tree’ was poking around the advanced order platform to see how the order API worked. He sent a normal request from the web ui, then captured the data that was sent. Notice the parameters “product_id”, “source_account_id”, and “target_account_id” near the bottom half of the image below.
This is the information sent to the server informing it which cryptocurrencies it should place an order for, and for tracking accounts. In the image above he had sent a test order of selling 0.02433012 Ethereum for a limit price of $3,000.
In the first step of testing, you want to break an application. Seeing where an application’s limits and boundaries are is a great way to see how to expand them.
Tree decided to change the ‘product_id’ to ‘BTC-USD’, a pair he did not own. However, he left the ‘source_account_id’ and ‘target_account_id’ the same.
He sends the modified the payload, and… it went through?
Tree was able to sell 0.02433012 Bitcoin with the same amount of ethereum without even owning any Bitcoin. Checking the live order fills and hoping it was a visual bug, his tests were confirmed. The fills corresponded with live, open orders.
With a simple change of a string in a web browser in a publicly available API, he managed to break the security of the largest cryptocurrency exchange in the United States.
Time for the last test. He listed 50 BTC in exchange for 9M SHIBA and asked if other users online saw it as well. They confirmed, and he contacted coinbase.
If this exploit had been abused in the wild, there’s no telling the damage it could have caused to the market. Coinbase is so influential, even prices off the site would have been affected. Additionally, many other public facing APIs use crypto prices from Coinbase. It could have caused a chain reaction sell off, but there’s no telling for sure as it was fixed before any harm was caused.
What does this tell us? Well, that crypto is nowhere near as stable as some make it out to be. Blockchain is an amazing technology (how the heck does it work exactly though?), but it’s not being utilized to the fullest yet.
I’m not saying don’t invest in Bitcoin, I’m saying don’t throw your life savings in there when someone with Firefox 97 is all that’s standing between total market collapse.
Quick Links to My Stuff
Published 2022-03-08 08:59:00