'Market-Nuking' Coinbase API Bug Halted New Trading OrdersFlaw Allowed Those Who Don't Own BTC to Sell It; Researcher Got $250,000 Bounty
Coinbase, a cryptocurrency exchange platform, briefly halted its services on Feb. 11 after an independent security researcher had discovered a critical vulnerability in its Retail Advanced Trading platform. The bug, which allowed users to sell cryptocurrencies they did not own, was undisclosed at the time and was patched within hours. This weekend, the security researcher, aka Tree of Alpha, and Coinbase detailed the cause of the vulnerability and its potential impact.
The researcher said he received a bounty of $250,000 for discovering the bug. Coinbase says the amount is the "largest-ever" paid by the company.
Coinbase's "largest-ever bug bounty"— Tree of Alpha (@Tree_of_Alpha) February 19, 2022
How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis.
Bounty: $250,000 pic.twitter.com/Y91M48pCcI
In its blog post, Coinbase says that the critical vulnerability was found in a specific API used on its Retail Advanced Trading service.
The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, and it allowed a user to submit trades to a particular order book using a mismatched source account, the company says.
The critical vulnerability's impact was restricted as the vulnerable API was only used by its Retail Advanced Trading platform, which is still under a limited beta release, according to Coinbase.
Coinbase says the flaw can be executed and exploited in the following four steps:
- A user needs to have two accounts. Let's assume one contains 100 SHIB and the other contains 0 BTC.
- The user is required to submit a market order to the BTC-USD order book to sell 100 BTC through the platform. But in this case, the user manually edits the API request and specifies their SHIB account as the source of funds.
- Ideally, the validation service checks if the source account has sufficient funds to complete the trade successfully. But in doing this, it does not check whether the source account matched the proposed asset for submitting the trade.
- As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange successfully, although the user had 0 BTC.
The researcher, on his Twitter account, dissected the vulnerability with a similar example and screenshots that he had taken while he was studying how the orders were successfully sent on the Advanced Trading platform of Coinbase.
Tree of Alpha says that he placed an ETH-EUR order from the UI, checked the request that was sent and was noticed that the API required product, source and target account IDs for successful order placement.
So, to get a failed message, the researcher changed the product_id to BTC-USD, but he did not change the two account IDs where the source was his ETH wallet and target his EUR wallet. The researcher expected an error because his account was not allowed to trade the BTC-USD pair but surprisingly the order went through.
Initially, the researcher thought he was experiencing a user interface bug so he checked the fills in the order, which matched the API. "Those trades really happened on the live order book," he said.
The researcher used another test before reporting the flaw to Coinbase, and it confirmed his findings.
Coinbase says that although this vulnerability existed they already had mitigating factors in place that would have limited the impact of this flaw had it been exploited on a larger scale. "For example, Coinbase Exchange has automatic price protection circuit breakers, and our trade surveillance team continuously monitors our markets for health and anomalous trading activity," the company says in its blog post.
Tree of Alpha called the vulnerability "potentially market-nuking" and said it required immediate attention. They also asked the open community to contact Coinbase's upper management or at least its development team.
Anyone here can get me a direct line with someone at @coinbase , preferably management or dev team, possibly @brian_armstrong himself?— Tree of Alpha (@Tree_of_Alpha) February 11, 2022
I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking.
Later, Brian Armstrong, co-founder and CEO of Coinbase, responded to the security researcher's tweet confirming that its team was investigating the vulnerability. Within an hour of this tweet, Coinbase halted its retail advance trading services, citing technical issues, but continued accessibility under "cancel-only" mode with existing orders. Placing new orders was not allowed.
Coinbase also said that it had only suspended its retail advanced trading service, and there was no impact on the simple trading services of Coinbase.com and Coinbase Pro.
At the time, in a tweet, Tree of Alpha confirmed that no bounty had been awarded to him by Coinbase as their team was still assessing the full extent of the exploit. He also said that he has not reported the flaw because he wanted to get a bounty. "Priority was to get this fixed ASAP to not have it fall in the wrong hands. If Coinbase wants to award a bounty to encourage other people to do the right thing next time, they can," the researcher tweeted.
Coinbase awarded the security researcher a $250,000 bug bounty. Many of his Twitter followers say the bounty paid is very low when compared to the criticality of the bug. One, named Pierre, who claims to be a crypto analyst, addresses the CEO of Coinbase, tweeted, "If you pay bounties that much, be sure next time you'll get hit ".
API Runtime Security Needed
This is an API business logic error that is almost impossible to defend against without the proper API context, according to Filip Verloy, technical evangelist for EMEA at Noname Security. But crypto platforms should adopt a more holistic approach to API security, he says.
Verloy says everyone should implement an approach that includes "testing APIs against known API security issues and establishing best practices in pre-production, ' meaning shift left. He says implementing API runtime security to detect malicious activity in real time is important and that implementing API posture management to discover and mitigate API misconfigurations will "de-risk the platform."
"Since API services are getting more and more sophisticated, we need to do all we can to prevent putting these issues into production. Good security hygiene and responsible disclosure from security researchers through bug bounty programs would go some way to mitigate this," Verloy says.