A bug on the Coinbase exchange allowed an unlimited amount of Ethereum to be credited
Fintech-company VI Company reported on the discovery of a vulnerability in the smart contract system exchanges Coinbase, which allowed users to deposit unlimited ETH into their accounts. Experts notified the company of the vulnerability in December last of the year, and in January it was eliminated. VI Company employees received a $ 10 award for their work 000.
“Using a smart contract to distribute ETH across a set of wallets, you can you manipulate the account balance on Coinbase“, The researchers write in their report. “If alone of transactions in a smart contract does not work, everything transactions in front of it are canceled. but on Coinbase, these transactions are not canceled, which means that a person can add to your account so much Ethereum, as much as you wish “.
In practice, this means that Coinbase users could credit any amount of Ethereum to their accounts..
They also provided an outline of the actions that allowed them to exploit the bug:
- Create a smart contract with several full and one faulty wallet on Coinbase;
- Transfer the required amount to a smart contract;
- Execute smart contract, adding the designated amount to your Coinbase wallet, which will never leave limits of the smart contract, because the last wallet will be to cancel the transaction;
- Repeat the required number of times;
- Withdraw funds.