Site icon Sophos News

The bug that made free money

Free money

What would you do if you found a bug that could create money out of thin air?
Dutch web application boffins VI Company found one in popular cryptocurrency exchange Coinbase and used it to net themselves a cool $10,000.
Luckily for Coinbase, the bug finders earned their cash by reporting the issue to the exchange’s bug bounty program rather than by milking its broken code.
The trouble started when VI Company came up with the festive wheeze of giving out ether (the currency used by the Ethereum platform and the world’s second most popular cryptocurrency) as Christmas presents.

…we had some wallets which returned an error when we tried sending Ethereum there. This, in turn, stopped the execution of the smart contract and reversed all transactions as we expected it to do.
… one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum.

After a bit of testing the company confirmed that it wasn’t a one-off. Every time it attempted to add ether to Coinbase wallets then the money would arrive without ever being sent.

Lo and behold we could reliably reproduce this bug and add Ethereum to our Coinbase wallets without ever sending any.

Although little information about the bug itself has been disclosed it seems that if the Ethereum-based smart contract hit a snag while it was running it would roll back any transactions it had run up to that point, a roll back Coinbase didn’t match.


The Ethereum platform is a complex beast that’s hosted its fair share of bugs-with-consequences.
Ethereum’s highlight reel includes a buggy wallet that froze $300 million, a flaw that was itself introduced by a smart wallet update designed to plug a hole that had been abused to extricate another $32 million.
That happened around a year after another theft of about $55 million from Ethereum’s now infamous DAO (Decentralized Autonomous Organization) program.
The money-for-nothing bug found by VI Company didn’t exist in Ethereum or one of the buggy smart-thingamies that runs in it though, this time the bug was in the Coinbase exchange.
Surprised? Probably not.
If there’s one thing that makes the hair-raising adventures of the Ethereum platform look unexciting, it’s the febrile exchange ecosystem that supports the trading of cryptocurrencies.
Cryptocurrency trading is run through with accusations of insider trading, scams and thieving owners, and it’s punctuated by colossal thefts of surprisingly valuable digital widgets you’ve never heard of. Thefts like Coincheck’s recent loss of half a billion dollars worth of, er, NEMs.
Thankfully, and not by accident, this bug was stomped on before anyone lost their shift.
If cryptocurrency exchanges are going to improve their image, and the chance of users holding on to their cryptocash, then they have to take security seriously, and been seen to do so.
By running a HackerOne bug bounty program Coinbase offer an incentive for people to find bugs and a clear, open channel through which it can learn about them and act.
In this case it moved to fix the flaw within a few short hours of learning about it.

Exit mobile version