You might have missed a one-off opportunity to become a cryptocurrency multi-billionaire. It appears popular exchange desk Coinbase suffered from a flaw in its Ethereum ETH smart contract setup, which made it possible to reward yourself with a virtually infinite sum of ETH, according to newly surfaced vulnerability report.
The jarring vulnerability was discovered by Dutch fintech firm VI Company, which reported the issue to Coinbase back in late December last year. The exchange desk fixed the issue a month later in January and has since rewarded the Dutch company with a $10,000 bounty.
“By using a smart contract to distribute [ETH] over a set of wallets you can manipulate the account balance of your Coinbase account,” the researchers wrote in a HackerOne report submitted to the exchange desk.
“If [one] wallets transaction in the smart contract fails all transactions before that will be reversed,” VI Company explained. “But on Coinbase these transactions will not be reversed, meaning a person could add as much Ethereum to their balance as they want.”
This practically meant that anyone could have abused this glitch to credit their wallets with infinite amounts of Ethereum.
The researchers have provided screenshots proving they were able to successfully exploit the glitch. They have also linked to the faulty transaction on Etherscan.
VI Company has also since detailed the steps it took to exploit the bug:
- Setup a smart contract with a few valid Coinbase wallets and [one] final faulty wallet
- Transfer appropriate funds to smart contract
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet
- Repeat until you have more than enough ethereum in your Coinbase wallet.
- Cash out
It remains unclear whether any individuals were able to successfully exploit the glitch to get rich, but we have reached out to the exchange desk for a clarification. We will update this piece accordingly should we hear back.
Published March 21, 2018 — 11:24 UTC