Coinbase Trading Vulnerability Exposed by White-Hat Hacker

Twitter user @Tree_of_Alpha notified the Coinbase team of the exploit and the exchange giant suspended trading on its new Advanced Trading platform.

AccessTimeIconFeb 12, 2022 at 1:21 a.m. UTC
Updated Feb 14, 2022 at 3:48 p.m. UTC

Tracy is a deputy managing editor at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white-hat hacker “Tree of Alpha.” It then temporarily suspended trading on its new Advanced Trading platform.

Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting they found a “potentially market-nuking” exploit and was submitting a HackerOne report.

HackerOne is a platform that runs bug bounty programs for companies, including Coinbase.

“The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter.

Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as decentralized finance (DeFi) protocols.

After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”

Within two hours of the Tree of Alpha’s initial tweet, the Coinbase Support Twitter account announced that, due to technical reasons, Coinbase was disabling trading on its new Advanced Trading platform. While the service would still be accessible, users would be able to cancel existing orders but not place new orders. The Advanced Trading service is available only to a limited audience.

Around 11 p.m. UTC (6 p.m. ET), Coinbase tweeted that it had “re-enabled full service for retail advanced trading.”

Coinbase CEO Brian Armstrong publicly tweeted his appreciation for Tree of Alpha’s assistance, writing, “.@Tree_of_Alpha you're awesome - a big thank you for working with our team. Love how the crypto community helps each other out!”

This isn’t the first time Tree of Alpha has notified influential crypto companies about vulnerabilities in their codebase.

Last month, Tree of Alpha contacted CoinDesk about an issue surrounding the site’s content management system (CMS). The exploit allowed savvy programmers to view headlines of CoinDesk articles saved as drafts, informing trading decisions based on non-public information. The issue has since been resolved.

Tree of Alpha has also explored electric car maker Tesla’s website, tweeting that the company was ready to handle crypto payments on its site one day before CEO Elon Musk’s official Jan. 14 announcement that Tesla merchandise would be able to be purchased in dogecoin.

Tree of Alpha experiments with websites, searching for revealing information that could be used for profitable trades. Occasionally, the savvy hacker comes across a major vulnerability to report.

“In general I only leak and work to get alpha closed once it gets too widespread and it becomes advantageous to have it fixed to even out the playing field again,” Tree of Alpha told CoinDesk in a Twitter message, when asked about their motivations for tweeting out alpha.

“[The Coinbase issue] however was no alpha, this was a serious exploit which could have sent the market in disarray,” they said.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Tracy is a deputy managing editor at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

CoinDesk - Unknown

Tracy is a deputy managing editor at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

Investing in the Future of the Digital Economy
October 18-19 | Spring Studio, NYC