While much ink has been spilled highlighting the accomplishments (and losses) of the crypto market’s trading and investment firms, there remains one group that plays an integral, behind-the-scenes security role: crypto bug sleuths.
From white hat hackers to researchers, this group of mostly anonymous coders and analysts scan blockchains and APIs to find possibly harmful gaps in the systems that power the crypto market.
The discovery of a bug in a new trading feature by the pseudonymous account Tree of Alpha provides the latest example. They discovered a bug in the beta feature that would let a user to sell crypto in one account so long as they had the same amount of crypto in another account — allowing someone, for instance, to sell 100 Bitcoin with 100 SHIB.
“I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC,” Tree of Alpha explained. “Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.”
Tree of Alpha described the bug as “market-nuking” when he took to Twitter on February 11. Coinbase ultimately rewarded the researcher $250,000 for his efforts.
To learn more, The Block sat down with the research to ask him about his background, the Coinbase bug, and what it means for crypto adoption.
Below is our conversation with Tree of Alpha, edited for clarity and brevity:
Frank Chaparro: How did you get involved in the space and discover these types of exploits?
Tree of Alpha: I started in crypto around end of 2017, basically buying the top with pennies, as a newly-graduated software engineer.
I spent 2 years learning more about developing by writing hundreds of trading bots that would never reliably make money, before eventually switching to news trading & botting, and finding out the fastest ways to get information. Most of the exploits I find I do while looking for tradeable information. This applies to the Tesla + Doge leak, the CoinDesk one and this recent Coinbase vulnerability.
FC: The $250,000 reward seems light — given the magnitude — and the fact some DeFi protocols have offered millions. Do you think this was an appropriate amount?
ToA: It is hard to tell with the amount of factors to take into account. If you think about the possible prejudice? Sure, it seems light, even though we cannot know exactly the amount of damage that could have been done.
DeFi protocols have very little leverage over hackers, since all the action can happen without any KYC and there is a certain culture of “code is law” to which some adhere. Coinbase is different: it is a US-listed centralized exchange enforcing KYC measures which can easily call on law enforcement to get involved.
Bounties have to be sizeable enough to turn grey hats into white hats, yet not big enough that hundreds of people will start poking everywhere. According to the overall Twitter response, it looks like a 7-figure bounty was expected.
I did not expect that much: the size of the bounty is proportional to the severity of the issue, and since I did not exploit it the exchange can state that the possible damage wasn’t that high by offering a smaller one.
FC: What do you think this means for new entrants to crypto, can they trust centralized venues?
ToA: No matter how much people like touting the sacrosanct decentralized nature of crypto, the fact remains that we still need trust in many of the actors involved: trust that the smart contract you use doesn’t have any vulnerabilities, trust that your wallet app didn’t go rogue, trust that CEX’s are safe, etc.
You also need to take into account that centralized entities are much more likely to be able to cover the damages from an exploit than a decentralized project. The beauty of crypto is that you have the choice: entrust your funds to an exchange, or self-custody and take responsibility for everything that entails.
FC: How do you think this issue went unnoticed?
ToA: This is a hard one: I do not know. When writing tests for an API that accepts a source account, a target account, and a product ID, the first thing I would make sure of is that the person indeed has more than “QTY” in the account. Coinbase had that part.
The second is making sure that, for a sale on “BTC-USD” product for example, “source account” is a “BTC” account and “target account” is a “USD” account. That part was missing, and any guess from me as to why would be speculation.
While every developer knows best practices at least vaguely, the harsh truth is a lot of shortcuts are taken to save time. If Tesla, a $890 billion company, tests payment integrations on live environment, that should tell you enough about the others.
FC: Can you estimate the potential damage if it was exploited?
ToA: I cannot, that is up to very specific Coinbase internals.
The highest reward with the least chance of being discovered would have been, in my opinion, putting up huge BTC sell walls very close to the last traded price in order to send the market in a panic. A very small fraction would have actually filled as the narrative would have spread, and a bad actor could have profited handsomely from the ensuing chaos by shorting on other exchanges.
All in all with this exploit, I believe most of the damage would have been on the market itself, and not as much on Coinbase customer holdings. The risk system would have kicked in, stopping all withdrawals and Coinbase could have done an internal rollback after the blow.
Read full story on The Block