14 mins ago |
By Jamie Redman – |
Coinbase Glitch Allowed Unlimited Ethereum Balances
On March 21, the San Francisco based exchange Coinbase publicly revealed an ethereum balance glitch that allowed users to manipulate their account balances. Researchers noticed that, by utilizing a smart contract, a person could add as much ethereum as they wanted to their account.
Smart Contract Manipulation Allowed Unlimited Ethereum Balances on Coinbase
Just recently researchers had found a vulnerability within the Coinbase platform that allows a user to add as much ether as they want to their accounts by using a smart contract. The bug was revealed to the public on March 21 but the issue had existed since December of 2017. Coinbase rewarded the Dutch research analysts’ firm, Vicompany with a $10,000 reward after it discovered the glitch.
“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed,” explains the San Francisco trading platform.
The issue was fixed by changing the contract handling logic — Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts.
Not the Only Exchange With an Unlimited Coin Glitch
According to Vicompany, a malicious actor could manipulate their ether balance by using a smart contract to distribute ether throughout a set of wallets. Vicompany explains that if one of the internal transactions fail all transactions prior would be reversed. However, on the Coinbase interface, the transactions did not revert. The third party researcher states on the disclosure:
On Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want.
Coinbase is not the only exchange that has suffered from glitches that allow people to manipulate balances. This past February the Japanese exchange Zaif had a bug that let users purchase BTC for zero dollars. A month prior to the Zaif incident, the company Overstock had an API glitch which allowed users to pay for goods using BCH for a product priced in BTC.