Cryptocurrency exchange Coinbase has revealed on March 21 that an ethereum balance bug allowed users to change their account balances. The team observed that any user could add ethereum(ETH) as much as they wish to their balances.
While the bug was discovered on March 21, the error existed since December 2017, according to Coinbase. The researchers who found the glitch is a team of analysts from the Netherlands dubbed Vicompany. According to the research company, the bug allowed the users to change their balances by using ETH smart contracts.
“The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed,” stated a spokesperson from Coinbase.
The researchers declared that this glitch could have been used by cybercriminals to distribute unlimited ETH to any wallet they wished. Furthermore, Vicompany said that if one of the transactions fail, all the operations before the failed one would be reversed. While this process should happen automatically, the transactions on Coinbase did not inverse. However, the team of analysts has stated that the problem is solved
The issue was fixed by changing the contract handling logic — Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts.
On Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want.
Coinbase has had a history with bugs, before this one. In January after the exchange teamed up with the retailer Overstock, Coinbase was contacted by a group of white hat hackers which informed them that they had encountered an enormous error. While one of them was trying to buy goods via Overstock, the option for bitcoin payments was tangled with the ones of bitcoin cash.
The white hat hacker who discovered the error mentioned that he was buying outdoor solar lamps. When he proceeded to the bitcoin payment portal, he was able to send the requested amount in bitcoin cash.
“Logging into Coinbase, I took the bitcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin,” stated the white hacker.
Furthermore, after he rejected the purchase, Coinbase gave him a refund in bitcoins, not BCH.
Even though glitches are normal, especially when using new technologies, the crypto exchanges have started to encounter a lot of balance related errors. The most recent episode was with Zaif exchange from Japan when a bug let the users buy bitcoin at a rate of 0 yens. During the incident, the users who discovered the bug placed orders which summed up to $20 trillion.