The Dutch financial systems-focused security flaw research and counter VI Company recently disclosed a major issue regarding Coinbase’s Ethereum (ETH) based smart-contracts via HackerOne.
The VI Company, who’s been adopted by international banking institutions like ING, ABN Amro, Börse Stuttgart, PGGM and blockchain-based platform Cardano, among others in order to “future proof” the financial operations of their respective clients, have been recently working on fixing a significant “bug” found when using Ethereum-based smart-contracts via major cryptocurrency broker Coinbase.
According to VI Company, the flaw was spotted back in December 2017 but couldn’t be revealed until now, to make sure there is no chance of manipulation left for hideous users. Coinbase, who had an issue with its Ethereum (ETH) wallets on an internal level (since it was not a problem from Ethereum’s side as many believed) rewarded the discretion and operations of the Dutch entity with a sum of $10,000 USD.
“You can imagine that some companies might not be very happy if you post stuff like this in public. Luckily, a security course at the Hogeschool Rotterdam showed me the platform HackerOne and how it can help in these kinds of situations.” – said Jesse Lakerveld, a blockchain specialist from the VI Company.
HackerOne is an online platform where companies can register themselves as a company allowing responsible disclosure. Responsible disclosure means that you make certain agreements with a company when it comes to disclosing issues you have found in their systems. This can mean guidelines as to what you are allowed and not allowed to do to find a bug, or when can you go public.
Right after finding the issue, when the issue is resolved or after a set period time has elapsed after the issue has been brought up to the company. In return, the people who find these issues and follow the guidelines can be given a reward for finding these issues.
“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed. The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only accidental loss for Coinbase and no exploitation attempts.” – Coinbase officials stated via the HackerOne platform.
In short, by using a smart contract to distribute Ethereum (ETH) over a set of wallets you can manipulate the account balance of your Coinbase account.
If one of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want.
When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.
The VI Company exploited the procedure to “fool” a Coinbase Ethereum (ETH) wallet in the following steps :
- Setup a smart contract with a few valid Coinbase wallets and one final faulty wallet.
- Transfer appropriate funds to smart contract.
- Execute smart contract adding the set amount of ETH to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
- Repeat until you have more than enough Ethereum (ETH) in your Coinbase wallet.
- Cash out, transfer to an off-site wallet.
It seems that any individual could become virtually infinitely rich, just if he could access the HackerOne discussions before the release date.
There are still a tremendous amount of bugs in cryptocurrency-based platforms, exchanges, and networks all over the place, waiting for the right eye to spot them.
Thankfully companies like the VI Company exist to solve these issues with discretion and avoid leaking this kind of volatile information.
What do you guys think on the matter? Is $10,000 a decent sum to cover a bug that could literally make you a multi-millionaire over a night? Let me know your thoughts in the comments below.
Reporting for cryptogazette.com , Ross Peili