Recently it became known that in the Coinbase – one of the largest crypto companies in the world, there was a bug that allowed you to obtain unlimited funds at ETH.
The vulnerability was discovered by the Dutch firm Fintech VI, which reported it to Coinbase at the end of December last year. Exchanger fixed the bug a month later, in January, and pay remuneration to the Dutch company in the amount of $ 10,000.
Using a smart contract for the distribution of the ETH in a number of wallets, you can manipulate the account balance of your account on Coinbase.
If one of the wallets within the smart contract will fail, all transactions committed before will be cancelled. But these Coinbase transactions are not canceled, and this means that people can add to your balance Ethereum as much as you want.
This effectively means that any Coinbase user could exploit this vulnerability to gain unlimited Ethereum.
Researchers have provided screenshots proving that they were able to successfully exploit a bug and gave the transaction number.
Fintech VI also described the steps that must be taken to reproduce the vulnerability:
- Set up a smart contract with several open wallets Coinbase and [one] last faulty wallet
- Send that amount of money on a smart contract
- Initiate execution of the smart contract and send the specified amount of ether to other wallets on Coinbase and the transaction will fail on the last wallet
- Repeat until until on your wallet in Coinbase will not be enough ether
- Print money
It remains unclear whether it was possible for someone to exploit the vulnerability or not.