Coinbase Trading Vulnerability Exposed by White-Hat Hacker
Twitter user @Tree_of_Alpha notified the Coinbase team of the exploit; the exchange giant suspended trading on its new Advanced Trading platform.
Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white hat hacker “Tree of Alpha,” and temporarily suspended trading on its new Advanced Trading platform.
Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting that they found a “potentially market-nuking” exploit and was submitting a HackerOne report.
“The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter.
Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as DeFi protocols.
After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”
Within two hours of the Tree of Alpha’s initial tweet, the Coinbase Support Twitter account announced that, due to technical reasons, Coinbase was disabling trading on its new Advanced Trading platform. While the service would still be accessible, users would be able to cancel existing orders but not place new orders. The Advanced Trading service is available only to a limited audience.
Last month, Tree of Alpha contacted CoinDesk about an issue surrounding the site’s content management system (CMS). The exploit allowed savvy programmers to view headlines of CoinDesk articles saved as drafts, informing trading decisions based on non-public information. The issue has since been resolved.
Tree of Alpha has also explored electric car maker Tesla’s website, tweeting that the company was ready to handle crypto payments on its site one day before CEO Elon Musk’s official Jan. 14 announcement that Tesla merchandise would be able to be purchased in Dogecoin.
Tree of Alpha experiments with websites, searching for revealing information that could be used for profitable trades. Occasionally, the savvy hacker comes across a major vulnerability to report.
“In general I only leak and work to get alpha closed once it gets too widespread and it becomes advantageous to have it fixed to even out the playing field again,” Tree of Alpha told CoinDesk in a Twitter message, when asked about their motivations for tweeting out alpha.