Home Book Award Looking Back: Recent Coinbase Bug Bounty Award | by Coinbase | February 2022

Looking Back: Recent Coinbase Bug Bounty Award | by Coinbase | February 2022


At Coinbase, our number one priority is to ensure that we meet our security commitments to our customers. On February 11, 2022, we received a report from a third-party researcher that they had discovered a flaw in Coinbase’s trading interface. We quickly mobilized our Security Incident Response team to identify and fix the bug, and resolve the underlying system issue without any impact on client funds.

This blog post provides a more in-depth look at the timeline of events surrounding the bug report, as well as an explanation of the bug itself and the steps we’ve taken to fix it and ensure it doesn’t happen again. more.

(note, all events occurred on Feb 11, 2022 and all times are in PST)

  • 10:16 a.m.: A member of the crypto community tweets that he discovered a serious flaw in the Coinbase trading interface and asks for contacts within the Coinbase Security team.
  • 11:00: Based on limited initial information provided by intermediaries, Coinbase Security declares an incident and mobilizes engineering resources to begin testing all trading interfaces to determine the validity of the alleged bug.
  • 11:21 a.m.: The crypto researcher files a vulnerability report via HackerOne, Coinbase’s bug bounty platform, stating that the flaw resides in a specific API for Retail Advanced Trading. Coinbase engineers also perform a review of all other Coinbase Exchange UIs and APIs and determine that they are unaffected.
  • 11:42 a.m.: Coinbase engineers are able to reproduce the bug, and the Retail Advanced Trading platform is placed in rollback-only mode, disabling new transactions.
  • 4:01 p.m.: A patch is validated and released, resolving the incident.

The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a source account not consistent. This API is only used by our Retail Advanced Trading platform, which is currently in limited beta.

To give an example:

  • A user has one account with 100 SHIB and a second account with 0 BTC.
  • The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.
  • Here, the validation service would check if the source account had sufficient balance to complete the transaction, but not if the source account matched the asset offered to submit the transaction.
  • As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on Coinbase Exchange.

There were mitigating factors that would have limited the impact of this flaw if it had been exploited on a large scale. For example, Coinbase Exchange has automatic price protection circuit breakers, and our trade monitoring team continuously monitors our markets for health and abnormal trading activity.

Thanks to the researcher who responsibly disclosed this issue, Coinbase was able to fix this bug within hours and conclusively determine that it was never maliciously exploited. We have also implemented additional controls to ensure this does not happen again.

Coinbase strongly supports independent security research, and when those researchers uncover serious issues, we want to make sure they are rewarded accordingly. As a result, we are paying our largest ever bug bounty for this discovery: $250,000.

We welcome future submissions from this researcher and others through our HackerOne program: https://hackerone.com/coinbase.