Coinbase users able to take unlimited free Ethereum

A bug discovered on Coinbase allowed users to help themselves to free Ethereum.

Coinbase, one of the world’s most popular cryptocurrency exchanges, had an undetected bug in its system that allowed users to collect unlimited amounts of Ethereum with just a few simple steps.

The San Fransico-based company was able to avoid disaster thanks to a bug report, however.

Dutch FinTech firm, VI Company, disclosed the vulnerability on Wednesday via a post from its HackerOne account.

The bug meant that tricking Coinbase into assuming that a transfer was taking place.

A group of digital wallets controlled by a smart contract was manipulated to fool the exchange into transferring the digital currency.

VI Company notified Coinbase of the bug in late December, who announced on January 25th that the issue was resolved.

Coinbase responded by rewarding the firm with a $10,000 bounty for identifying the previously undiscovered problem.

Smart contracts

One of the main reasons people often tout the Ethereum blockchain as having more potential that Bitcoin‘s technology is due to its smart contracts.

To put it simply, a smart contract is a set of conditions that must be met to complete a transfer on the Ethereum blockchain where cryptocurrencies are transferred from one party to another.

VI Company said they wanted to familiarize their employees with smart contracts giving them a unique Christmas present last year.

The plan was to set up a smart contract that would send an Ether bonus to everyone on Christmas Eve, Christmas Day, and Boxing Day.

While setting up this cool festive treat, the engineers noticed something unusual.

Developers realized that all of the transactions failed if one of the internal contacts was unsuccessful, which is how a smart contract should function.

What they found though, was that Coinbase’s internal accounts were not registering the reversal.

Coinbase’s system assumed the wallet was credited with Ether, but Coinbase showed that no transaction had occurred when checking the wallet from outside.

Simple steps

VI Company outlines the simple steps required to collect more Ethereum than you could ever spend:

1. Setup a smart contract with a few valid Coinbase wallets and [one] final faulty wallet

2. Transfer appropriate funds to smart contract

3. Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet

4. Repeat until you have more than enough ethereum in your Coinbase wallet.

5. Cash out

Although a Coinbase account would show funds being present after following these steps, they were never transferred into the wallets.

Any Ether that was collected was only ever part of Coinbase’s records.

Had an unscrupulous character discovered this flaw, however, they could have transferred the crypto to a wallet outside of Coinbase.

Or they could have exchanged the free Ethereum for fiat money and transferred it into a bank account.

Withdrawing millions of dollars worth of funds from an account would inevitably raise red flags at Coinbase though, so such a heist would unlikely go unnoticed.

Coinbase also has a stringent policy regarding verifying your real-world identity too, so a fraudulent transfer would be easily traceable.

It isn’t known if anyone managed to game the system and claim any free Ethereum.

Leave a comment