At Coinbase, our number one priority is ensuring that we uphold our security commitments to our customers. On February 11, 2022, we received a report from a third-party researcher indicating that they had uncovered a flaw in Coinbase’s trading interface. We promptly mobilized our security incident response team to identify and patch the bug, and resolved the underlying system issue without any impact to customer funds.
This blog post provides a deeper look into the timeline of events surrounding the bug report, as well as an explanation of the bug itself and the steps we took to resolve it and ensure it cannot happen again.
Timeline
(note, all events occurred on February 11, 2022, and all times are in PST)
- 10:16: A member of the crypto community tweets that they have uncovered a serious flaw in the Coinbase trading interface, and requests contacts in the Coinbase Security team.
- 11:00: Based on limited initial information provided by intermediaries, Coinbase Security declares an incident and mobilizes engineering resources to begin testing all trading interfaces to determine the validity of the alleged bug.
- 11:21: Krüptouurija esitab Coinbase'i vigade haldamise platvormi HackerOne'i kaudu haavatavuse aruande, mis näitab, et viga peitub spetsiifilises jaemüügi täiustatud kauplemise API-s. Coinbase'i insenerid vaatavad läbi ka kõik muud kasutajaliidesed ja Coinbase'i Exchange'i API-d ning teevad kindlaks, et need ei ole mõjutatud.
- 11:42: Coinbase engineers are able to reproduce the bug, and the Retail Advanced Trading platform is placed into cancel-only mode, disabling new trades.
- 4:01: Plaaster kinnitatakse ja vabastatakse, lahendades juhtumi.
Peamine põhjus
The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account. This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release.
To give an example:
- A user has an account with 100 SHIB, and a second account with 0 BTC.
- The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.
- Here, the validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade.
- Selle tulemusena sisestataks Coinbase'i börsile turukorraldus müüa 100 BTC BTC-USD tellimuste raamatus.
Leidus kergendavaid tegureid, mis oleks selle vea mõju piiranud, kui seda oleks ulatuslikult ära kasutatud. Näiteks Coinbase'i börsil on automaatsed hinnakaitselülitid ja meie kaubanduse järelevalve meeskond jälgib pidevalt meie turge tervise ja ebanormaalse kauplemistegevuse osas.
Järeldus
Thanks to the researcher who responsibly disclosed this issue, Coinbase was able to fix this bug in a matter of hours, and conclusively determine that it has never been maliciously exploited. We have also implemented additional checks to ensure that it cannot happen again.
Coinbase toetab tugevalt sõltumatuid turvauuringuid ja kui need teadlased avastavad tõsiseid probleeme, tahame tagada, et neid premeeritakse. Selle tulemusel maksame selle leiu eest oma kõigi aegade suurima vearaha: 250,000 XNUMX dollarit.
Ootame selle teadlase ja teiste esildisi meie HackerOne'i programmi kaudu: https://hackerone.com/coinbase.
Tagasivaade: hiljutine Coinbase Bug Bounty auhind ilmus algselt Coinbase'i ajaveeb meediumil, kus inimesed jätkavad vestlust, tuues esile selle loo ja sellele reageerides.
- Münditark. Euroopa parim Bitcoini ja krüptobörs.
- Platoblockchain. Web3 metaversiooni intelligentsus. Täiustatud teadmised. TASUTA PÄÄS.
- CryptoHawk. Altcoini radar. Tasuta prooviversioon.
- Source: https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060?source=rss—-c114225aeaf7—4
- 000
- 100
- 11
- 2022
- konto
- Täiendavad lisad
- edasijõudnud
- Materjal: BPA ja flataatide vaba plastik
- API
- API-liidesed
- eelis
- beeta
- Blogi
- maakleritasu
- BTC
- Bug
- viga
- Põhjus
- Kontroll
- coinbase
- kogukond
- krüpto
- krüptokogukond
- Kliendid
- sügavam
- Lõpp-punkt
- Inseneriteadus
- Inseneride
- sündmused
- näide
- vahetamine
- tegurid
- Fe
- Määrama
- viga
- järgima
- raha
- tulevik
- Tervis
- HTTPS
- ia
- identifitseerima
- mõju
- rakendatud
- intsidentidele reageerimine
- info
- IP
- probleem
- küsimustes
- IT
- piiratud
- Turg
- turud
- küsimus
- keskmine
- et
- Muu
- teised
- Plaaster
- inimesele
- hind
- Programm
- kaitse
- annab
- vabastama
- vabastatud
- aru
- teadustöö
- Vahendid
- vastus
- jaemüük
- läbi
- Skaala
- turvalisus
- müüma
- teenus
- Toetab
- järelevalve
- süsteem
- meeskond
- Testimine
- Allikas
- kolmanda osapoole
- korda
- kaubelda
- kaupleb
- Kauplemine
- paljastama
- haavatavus
- kas
- WHO
- ilma
- oleks