Coinbase Trading Vulnerability Exposed by White-Hat Hacker

Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white-hat hacker “Tree of Alpha.” It then temporarily suspended trading on its new Advanced Trading platform.

Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting they found a “potentially market-nuking” exploit and was submitting a HackerOne report.

HackerOne is a platform that runs bug bounty programs for companies, including Coinbase.

“The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter.

Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as decentralized finance (DeFi) protocols.

After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”

Within two hours of the Tree of Alpha’s initial tweet, the Coinbase Support Twitter account announced that, due to technical reasons, Coinbase was disabling trading on its new Advanced Trading platform. While the service would still be accessible, users would be able to cancel existing orders but not place new orders. The Advanced Trading service is available only to a limited audience.

Around 11 p.m. UTC (6 p.m. ET), Coinbase tweeted that it had “re-enabled full service for retail advanced trading.”

Coinbase CEO Brian Armstrong publicly tweeted his appreciation for Tree of Alpha’s assistance, writing, “.@Tree_of_Alpha you're awesome - a big thank you for working with our team. Love how the crypto community helps each other out!”

This isn’t the first time Tree of Alpha has notified influential crypto companies about vulnerabilities in their codebase.

Last month, Tree of Alpha contacted CoinDesk about an issue surrounding the site’s content management system (CMS). The exploit allowed savvy programmers to view headlines of CoinDesk articles saved as drafts, informing trading decisions based on non-public information. The issue has since been resolved.

Tree of Alpha has also explored electric car maker Tesla’s website, tweeting that the company was ready to handle crypto payments on its site one day before CEO Elon Musk’s official Jan. 14 announcement that Tesla merchandise would be able to be purchased in dogecoin.

Tree of Alpha experiments with websites, searching for revealing information that could be used for profitable trades. Occasionally, the savvy hacker comes across a major vulnerability to report.

“In general I only leak and work to get alpha closed once it gets too widespread and it becomes advantageous to have it fixed to even out the playing field again,” Tree of Alpha told CoinDesk in a Twitter message, when asked about their motivations for tweeting out alpha.

“[The Coinbase issue] however was no alpha, this was a serious exploit which could have sent the market in disarray,” they said.