Tree of Alpha describes how he alerted the exchange to a vulnerability that could have caused a "potential crisis" — but critics say his bug bounty should have been much higher.
An engineer has revealed how he spotted a flaw in Coinbase's advanced trading feature that could have allowed malicious users to sell Bitcoin without owning it.
Tree of Alpha received a bug bounty of $250,000 — believed to be the biggest-ever reward given by the exchange — after helping the company avert a "potential crisis."
In a detailed Twitter thread, he described "poking around" the new feature to understand how it works — and while attempting to get an error message, a significant vulnerability emerged.
Tree of Alpha managed to use 0.0243 ETH to sell 0.0243 BTC on a completely different trading pair, despite the fact that he didn't hold any Bitcoin at the time. He wrote:
"Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book."
He describes performing one final check to ensure that this vulnerability is real rather than imagined — and successfully managing to make a 50 BTC limit sell order using 50 SHIB.
If exploited in the real world, this would have allowed Tree of Alpha to pocket a whopping $2 million… all for less than a cent.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
Taking Urgent Action
Tree of Alpha had spotted this vulnerability on Feb. 11 — the Friday before the Super Bowl — and immediately began attempting to reach out to Coinbase executives to inform them of this vulnerability.
At the time, he had described the exploit as "potentially market-nuking" — underlining its severity.
Within 30 minutes, all of the markets in its advanced trading feature were in cancel-only mode, with Coinbase CEO Brian Armstrong reaching out at the time to say thank you.
The engineer says other attack vectors that a malicious user could have deployed included shorting on FTX or Binance — and flashing big limit sells "to make the market freak out." He wrote:
"We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way. While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug."
Tree of Alpha thanked his followers for ensuring that he could reach the right people within Coinbase as a matter of urgency — and praised the exchange for fixing the vulnerability quickly. He added:
"While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation."
Although Tree of Alpha has been praised for saving Coinbase's bacon, some Twitter users have criticized the exchange — and have claimed that the bug bounty is much too small. @Brewtoshi pointed to how Wormhole is offering a $10 million bug bounty for information after a recent $250 million attack, even though this vulnerability had the potential to be much bigger. Another wrote:
"$250k? Would you rather folks just exploit these bugs, and nuke Coinbase and their customers' assets to zero? What gives?"
Others were more critical that such a vulnerability could even go live in the first place:
"Extremely unsettling that such a basic flaw can go undetected!"
