Coinbase Trading Vulnerability Exposed by White-Hat Hacker

Twitter user @Tree_of_Alpha notified the Coinbase team of the exploit and the exchange giant suspended trading on its new Advanced Trading platform.

Feb 12, 2022 at 1:21 a.m. UTC
Updated Feb 14, 2022 at 3:48 p.m. UTC

Tracy Wang is a senior reporter at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white-hat hacker “Tree of Alpha.” It then temporarily suspended trading on its new Advanced Trading platform.

Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting they found a “potentially market-nuking” exploit and was submitting a HackerOne report.

HackerOne is a platform that runs bug bounty programs for companies, including Coinbase.

“The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter.

Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as decentralized finance (DeFi) protocols.

After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”

Within two hours of the Tree of Alpha’s initial tweet, the Coinbase Support Twitter account announced that, due to technical reasons, Coinbase was disabling trading on its new Advanced Trading platform. While the service would still be accessible, users would be able to cancel existing orders but not place new orders. The Advanced Trading service is available only to a limited audience.

Around 11 p.m. UTC (6 p.m. ET), Coinbase tweeted that it had “re-enabled full service for retail advanced trading.”

Coinbase CEO Brian Armstrong publicly tweeted his appreciation for Tree of Alpha’s assistance, writing, “.@Tree_of_Alpha you're awesome - a big thank you for working with our team. Love how the crypto community helps each other out!”

This isn’t the first time Tree of Alpha has notified influential crypto companies about vulnerabilities in their codebase.

Last month, Tree of Alpha contacted CoinDesk about an issue surrounding the site’s content management system (CMS). The exploit allowed savvy programmers to view headlines of CoinDesk articles saved as drafts, informing trading decisions based on non-public information. The issue has since been resolved.

Tree of Alpha has also explored electric car maker Tesla’s website, tweeting that the company was ready to handle crypto payments on its site one day before CEO Elon Musk’s official Jan. 14 announcement that Tesla merchandise would be able to be purchased in dogecoin.

Tree of Alpha experiments with websites, searching for revealing information that could be used for profitable trades. Occasionally, the savvy hacker comes across a major vulnerability to report.

“In general I only leak and work to get alpha closed once it gets too widespread and it becomes advantageous to have it fixed to even out the playing field again,” Tree of Alpha told CoinDesk in a Twitter message, when asked about their motivations for tweeting out alpha.

“[The Coinbase issue] however was no alpha, this was a serious exploit which could have sent the market in disarray,” they said.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Tracy Wang is a senior reporter at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

CoinDesk - Unknown

Tracy Wang is a senior reporter at CoinDesk. She owns BTC, ETH, MINA, ENS, various stablecoins, and some NFTs.

Trending

1
CoinDesk - Unknown
First Mover Asia: Crypto Carbon Trading Is Racing to Clean Up Its Act; Cryptos Drop Even as Stocks Rise

Carbon credit protocols have had a difficult time in recent months but have been working to improve the way they operate; bitcoin outperformed other major cryptocurrencies in Thursday trading.

Carbon credit protocols have had a difficult time in recent months but have been working to improve the way they operate; bitcoin outperformed other major cryptocurrencies in Thursday trading.

CoinDesk - Unknown
2
CoinDesk - Unknown
Terra Devs Need a Home. Other Blockchains Are Courting Them

Armed with multimillion-dollar ecosystem funds, chains like Polygon and Kadena are trying to woo coders whose work is endangered by Terra’s meltdown.

Armed with multimillion-dollar ecosystem funds, chains like Polygon and Kadena are trying to woo coders whose work is endangered by Terra’s meltdown.

CoinDesk - Unknown
3
CoinDesk - Unknown
Circle Recommends Against a Digital Dollar, and Ethereum Beacon Chain Suffers Longest ‘Reorg’ in Years

The most valuable crypto stories for Thursday, May 26, 2022.

The most valuable crypto stories for Thursday, May 26, 2022.

CoinDesk - Unknown
4
CoinDesk - Unknown
Huobi Acquires Latin American Crypto Exchange Bitex

The Chinese crypto exchange is seeking to expand in Latin America, but Bitex will continue to operate under the same name and with its current management team.

The Chinese crypto exchange is seeking to expand in Latin America, but Bitex will continue to operate under the same name and with its current management team.

CoinDesk - Unknown