Those are two words that can capture a trader’s attention in crypto. And when an anonymous account Tree of Alpha used those words to describe a possible exploit on Coinbase, it sent crypto Twitter into a tizzy about the extent to which Coinbase could be exploited.
Ultimately, those words were accurate to describe what could have happened if Coinbase’s leadership did not identify and fix what Tree of Alpha found.
In a blog post, Coinbase said that the problem was a bug in the new trading feature in limited beta availability. An exploiter, using two accounts, could manually modify their APIs connected to the exchange to sell a certain amount in one asset if they had the same amount in the other account with the same amount of another crypto.
“The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds,” Coinbase explained. “As a result, a market order to sell 100 BTC on the BTC-USD order book would be entered on the Coinbase Exchange,” the firm added.
Coinbase said it would pay Tree of Alpha $250,000 as a bounty — a figure that’s dwarfed by the bounties paid by DeFi protocols. Wormhole offered to pay out $10 million after its eye-popping hack earlier this month.
As for Coinbase’s bug, Tree of Alpha said that he discovered it whilst poking around Coinbase’s new advanced trading platform. “I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC,” he explained. “Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.”
In other words, Tree of Alpha was able to sell ~$1,000 worth of bitcoin with only ~$70 worth of ether in his account (rough maths based on February 11 pricing).