Last year we discussed our Christmas present and how we created and distributed it (links to those articles can be found in the footnotes). However, there was one more thing we were working on that we were not allowed to talk about until now. It was a system flaw we found for an online crypto currency exchange while working on our Christmas present.
We found this system flaw in the crypto currency exchange Coinbase: a platform for buying, selling and storing of Bitcoin, Litecoin, Ethereum and Bitcoin Cash. For this article, only the wallet which is used to store Ethereum on Coinbase will be important.
During the Christmas holidays last December, we were still actively working on the Christmas present and getting it ready to be distributed. Whilst we were working on this, we were doing some tests with the smart contract on the Ethereum blockchain main net. During this, we had some wallets which returned an error when we tried sending Ethereum there. This, in turn, stopped the execution of the smart contract and reversed all transactions as we expected it to do.
What we didn’t expect was that one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum. After checking, we found out that no Ethereum had been sent to our colleague according to the smart contract. But according to his Coinbase wallet, he did receive it. We initially wrote this off as an odd bug that happens from time to time.
I decided to push this issue a bit and asked two of my colleagues who created the smart contract if we could try and reproduce this. After some small-scale testing with a different smart contract with two Coinbase wallets, one normal Ethereum wallet and one other smart contract which crashed the transaction when Ethereum was sent there. Lo and behold we could reliably reproduce this bug and add Ethereum to our Coinbase wallets without ever sending any.
The bug we found is quite big. But how do we let the company know about this in a proper way? You can imagine that some companies might not be very happy if you post stuff like this in public. They might even try to sue you for doing so. Luckily, a security course at the Hogeschool Rotterdam showed me the platform HackerOne and how it can help in these kinds of situations.
HackerOne is an online platform where companies can register themselves as a company allowing responsible disclosure. Responsible disclosure means that you make certain agreements with a company when it comes to disclosing issues you have found in their systems. This can mean guidelines as to what you are allowed and not allowed to do to find a bug, or when can you go public. Right after finding the issue, when the issue is resolved or after a set period time has elapsed after the issue has been brought up to the company. In return, the people who find these issues and follow the guidelines can be given a reward for finding these issues.
HackerOne as a platform makes sure that each company's guideline is followed by the company and the reporter. They will also back the hackers/security experts if a company tries to punish a reporter of a flaw in their system if they followed the company’s guidelines. HackerOne also functions a bit like a leaderboard for hackers all around the world to show what they have accomplished in a field where it is usually quite difficult to get public recognition for your work due to legal issues.
Using this platform, I got into contact with the security team of Coinbase and we provided them with all the evidence we had found so far. Over the next couple of weeks, I went back and forth with them providing more information were requested and doing some tests on our side to eventually verify the issue had been resolved. Coinbase informed us that the issue had been resolved internally within hours after triage, But that communication with us took a bit longer due to the Christmas period.
After the issue was resolved we were informed not to go public with this information until March the 21st due to Coinbase not wanting information on the bug to go public immediately.
At HackerOne, companies who register there for responsible disclosure have the option to issue rewards to hackers who come to them with issues. These rewards can be as simple as a thank you, some merchandise or money for finding the issues. The company is completely free in deciding if they want to give a reward and what that reward would be. Of course, the better the rewards the bigger the incentive.
When we started the disclosure of this issue, we knew Coinbase was rewarding money for finding vulnerabilities. They also provided a table with the type of issue and what they would pay for this. With the type of vulnerability we found, we guessed it would fall under the field: Significant manipulation of the account balance, which would award $10.000. Some of us were a bit sceptical about receiving this but I held high hopes.
On the 26th of January, we were informed that we were to be awarded a bug bounty of $10.000!
Overall this entire process was great fun and gave me and VI Company a great insight into the value of a responsible disclosure system. Yes, a $10.000 reward is quite a bit of money, but comparing this to the potential amount of damage this bug could have done makes the reward seem tiny. Currently, I am actively working on getting VI Company its own responsible disclosure system. More about that soon.
I would also like to thank VI Company for allowing me to pursue this bug bounty under company time.
If you have more questions about this bug bounty, feel free to contact us!
References in this article:
Finally, a small shout out to my 2 teachers from the Hogeschool Rotterdam who introduced me to HackerOne and thaught me about responsible disclosure. Their information is what drove me to pursue this bug bounty.
Christmas Present Articles
Updated 04-04-18: Updated article to reflect the summary of Coinbase on Hackerone as well.