Overstock Payments Glitch Mixes Up Bitcoin and Bitcoin Cash: Report

Online retail giant Overstock.com has reportedly experienced a bug that meant it mixed up payments made in two different cryptocurrencies.

AccessTimeIconJan 10, 2018 at 1:00 p.m. UTC
Updated Sep 14, 2021 at 1:55 p.m. UTC

Online retail giant Overstock.com has reportedly experienced a cryptocurrency payments bug that could have allowed customers to mint money simply via repeated cancellation of orders.

Last week, North Carolina-based bank security firm Bancsec informed journalist Brian Krebs that Overstock.com had erroneously accepted bitcoin cash instead of bitcoin as payment for a product.

To confirm the issue, Krebs ordered a $78 motion sensor light on Overstock and opted to make payment by bitcoin.

"Logging into Coinbase, I took the bitcoin address and pasted that into the 'pay to:' field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin," Krebs writes on his website. Because of the glitch, the security specialist was able to make a $78 purchase by sending approximately $12-worth of bitcoin cash.

As experienced by Bancsec, Overstock's website approved the transaction. What was potentially more damaging to the firm is the fact that, upon cancellation of the order, Overstock processed the refund in bitcoin.

Currently, a single bitcoin is priced at around $14,000, while its offshoot bitcoin cash is trading at $2,400. So, a malicious customer could have easily made large amounts of money simply by making repeated cancellations of orders of high-priced items at Overstock.

Krebs writes: "Reached for comment, Overstock.com said the company changed no code in its site and that a fix implemented by [payments partner] Coinbase resolved the issue."

Coinbase reportedly said that the issue was caused by "the merchant partner improperly using the return values in our merchant integration API," and noted that no other Coinbase customer had reported the problem. The error had existed for about three weeks, it added.

Krebs said he and Bancsec had looked for the same glitch at other merchants that "work directly with Coinbase in their checkout process," but they found "no other examples of this flaw."

Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Coinbase.

Overstock image via CoinDesk archives


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.