Coinbase Trading Vulnerability Exposed by White-Hat Hacker

Twitter user @Tree_of_Alpha notified the Coinbase team of the exploit and the exchange giant suspended trading on its new Advanced Trading platform.

AccessTimeIconFeb 12, 2022 at 1:21 a.m. UTC
Updated May 11, 2023 at 3:59 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white-hat hacker “Tree of Alpha.” It then temporarily suspended trading on its new Advanced Trading platform.

Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting they found a “potentially market-nuking” exploit and was submitting a HackerOne report.

  • How NEAR Enables Multichain Access From One Account
    00:56
    How NEAR Enables Multichain Access From One Account
  • Why the NEAR foundation Chose Eigenlayer as a Security Partner
    00:54
    Why the NEAR foundation Chose Eigenlayer as a Security Partner
  • Judge Kaplan Had 'No Love' for Sam Bankman-Fried, Legal Expert Says
    07:08
    Judge Kaplan Had 'No Love' for Sam Bankman-Fried, Legal Expert Says
  • How Bitcoin and Ether's Options Contracts Combined Expiry Could Spike Volatility
    01:11
    How Bitcoin and Ether's Options Contracts Combined Expiry Could Spike Volatility
  • HackerOne is a platform that runs bug bounty programs for companies, including Coinbase.

    “The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter.

    Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as decentralized finance (DeFi) protocols.

    After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”

    Within two hours of the Tree of Alpha’s initial tweet, the Coinbase Support Twitter account announced that, due to technical reasons, Coinbase was disabling trading on its new Advanced Trading platform. While the service would still be accessible, users would be able to cancel existing orders but not place new orders. The Advanced Trading service is available only to a limited audience.

    Around 11 p.m. UTC (6 p.m. ET), Coinbase tweeted that it had “re-enabled full service for retail advanced trading.”

    Coinbase CEO Brian Armstrong publicly tweeted his appreciation for Tree of Alpha’s assistance, writing, “.@Tree_of_Alpha you're awesome - a big thank you for working with our team. Love how the crypto community helps each other out!”

    This isn’t the first time Tree of Alpha has notified influential crypto companies about vulnerabilities in their codebase.

    Last month, Tree of Alpha contacted CoinDesk about an issue surrounding the site’s content management system (CMS). The exploit allowed savvy programmers to view headlines of CoinDesk articles saved as drafts, informing trading decisions based on non-public information. The issue has since been resolved.

    Tree of Alpha has also explored electric car maker Tesla’s website, tweeting that the company was ready to handle crypto payments on its site one day before CEO Elon Musk’s official Jan. 14 announcement that Tesla merchandise would be able to be purchased in dogecoin.

    Tree of Alpha experiments with websites, searching for revealing information that could be used for profitable trades. Occasionally, the savvy hacker comes across a major vulnerability to report.

    “In general I only leak and work to get alpha closed once it gets too widespread and it becomes advantageous to have it fixed to even out the playing field again,” Tree of Alpha told CoinDesk in a Twitter message, when asked about their motivations for tweeting out alpha.

    “[The Coinbase issue] however was no alpha, this was a serious exploit which could have sent the market in disarray,” they said.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Tracy Wang

    Tracy was the deputy managing editor at CoinDesk. She owns BTC, ETH, MINA, ENS and some NFTs.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.