Vulnerability in Coinbase Smart Contract Allowed Unlimited Ethereum Credits

In late February 2018, a team of experts warned that more than 34,000 Ethereum smart contracts had potential issues and vulnerabilities that their owners might not even be aware of. This week, those warnings were confirmed: a bug was discovered in an Ethereum smart contract belonging to the major cryptocurrency exchange Coinbase.

The issue was first found back in December 2017 by specialists from the Dutch firm VI Company. Now that the vulnerability has been fixed and the company has received a $10,000 reward along with the green light to disclose the details, the researchers have published a detailed account of their discovery on their blog.

According to the specialists, the bug in the smart contract—which was used to distribute funds among multiple wallets—allowed users to credit an unlimited amount of Ethereum to their balance on the exchange. “If one of the smart contract’s transactions failed, all previous transactions should have been canceled. But on Coinbase, these transactions were not canceled, which meant a person could add as much Ethereum to their balance as they wanted,” the VI Company experts explained.

Although the problem was discovered on December 27, 2017, the vulnerability was not fully fixed until January 26, 2018. In their report, VI Company emphasized that their analysis showed no one had managed to exploit the vulnerability before it was patched.