Coinbase Pays $250k to Hacker Who Potentially Saved the Market Billions

Last week, the cryptocurrency community on Twitter was triggered by a warning message from an anonymous hacker who claimed to have discovered a “market-nuking” bug on the Coinbase exchange.

The anonymous hacker who potentially saved the industry billions of dollars through responsible disclosure has received a $250,000 bounty from Coinbase.

Coinbase’s “largest-ever bug bounty”

How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase’s reaction speed on a Super Bowl Friday averted a possible crisis.

Bounty: $250,000 pic.twitter.com/Y91M48pCcI

— Tree of Alpha (@Tree_of_Alpha) February 19, 2022

Coinbase Fixes Market-Nuking Bug

The bug was described by the anonymous white hat “Tree of Alpha” as being related to Coinbase’s Advanced Trading platform. Unlike the simpler user interface for retail investors to buy and sell crypto, the Advanced Trading platform allows for more sophisticated trading tools and ordering methods.

However, Coinbase developers mistakenly shipped a bug that would allow users to sell assets that they don’t hold.

During his investigations, “Tree of Alpha” was initially surprised to learn they could sell “0.0243 ETH” to receive “0.0243 BTC” using the BTC-USD pair which they had not enabled for trading on their account.

Further tests revealed that the problem was more severe since users could place an order to sell 50 SHIB (worth $0.001) for 50 BTC, and this would be filled through Coinbase order books.

And quite frankly, there aren’t many things quite as sobering yet terrifying as realizing:
-you just put a 50 BTC limit sell order using 50 SHIB.
-everyone else can see it.
5 minutes later, I was sending this initial tweet. https://t.co/1hUDTlAvvJ pic.twitter.com/AQUbpdm8tw

— Tree of Alpha (@Tree_of_Alpha) February 19, 2022

As the white hat hacker subsequently pointed out, the situation was potentially “market-nuking” since a black hat hacker would have utilized the strategy to gradually drain Coinbase’s order books and try to withdraw the assets. Black hat hackers could also have resorted to creating market panic around the bug with short positions on other exchanges to maximize profits.

The severity of the bug and the fact it could have potentially cost the market billions of dollars, has caused observers to question the $250,000 bounty.

Yo @coinbase @brian_armstrong if you pay bounties that much, be sure next time you’ll get hit.

— Pierre (@pierre_crypt0) February 19, 2022

In the meantime, industry participants can draw solace from the community-led efforts that led to quickly bringing the bug to Coinbase’s notice and resolving the issue before it indeed became a “market-nuking” incident.