Tree (pacifist arc) Profile picture
Feb 19, 2022 11 tweets 5 min read Read on X
Coinbase's "largest-ever bug bounty"

How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis.

Bounty: $250,000 Image
At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like.
I put an ETH-EUR order from the UI, and grabbed the request that was sent.
I noticed the API needs product, source and target account ids. Image
In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet).
Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through. Image
I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC.
Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book. Image
For my last test before reporting this to make sure, I:
-send 9M SHIB to my Coinbase account
-change source account id to my SHIB account on Coinbase
-put a 50 BTC limit sell order using 50 SHIB
-ask people around me if they are, too, seeing it.
And quite frankly, there aren't many things quite as sobering yet terrifying as realizing:
-you just put a 50 BTC limit sell order using 50 SHIB.
-everyone else can see it.
5 minutes later, I was sending this initial tweet.
Image
Thanks to an overwhelming community response including prominent faces like @cobie @samczsun @FEhrsam @SecurityGuyPhil and @vishalkgupta , I quickly get Coinbase's attention.

Barely 3 minutes after my HackerOne report is sent, I get an answer from the Dev team.
After quickly explaining the exploit and supplying a proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. and most importantly posting orders.

Less than 30 minutes later, all markets there were in cancel-only mode.
For a malicious user, a few attack vectors included:
-shorting on ftx/binance and flashing big limit sells (>100k btc) to make the market freak out.
-actually executing a constant selling pressure by using 50 SHIB to sell 50 BTC every minute.
-trying to withdraw the proceeds.
We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way.

While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug.
Special thanks to:
-the community for helping me reach out faster.
-@coinbase for its reaction speed.
-hackerone.com for existing.

While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tree (pacifist arc)

Tree (pacifist arc) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Tree_of_Alpha

Apr 4, 2023
1/ Yesterday's Doge trade: On reacting, Sizing, and being degenerate when you need to be.
The essence of News Trading isn't speed, it is knowing when to size up.

I all started when someone in the Tree News Discord posted that they were seeing the Doge icon as the Twitter logo.
2/ People were mostly in disbelief, and Twitter caching didn't help because some people were still not seeing it.
A minute later, DB tweeted the new logo as well, at which point I started buying: first $3m, then $2m, and a final $3m a bit later.

Final position: $8m.
3/ Some of the factors that made me buy so much were:
-The picture is the actual DOGE logo, not just a random dog.
-Doge needed a fresh narrative and had not been moving much for a while.
-The information was very fresh which made me enter early enough.
Read 9 tweets
Dec 31, 2022
🧵Tree's best and worst trades of 2022.
Lots of missed opportunities, some not utilized fully, but let's have a small recap of what we went through this year!
At the end: a list of lessons I gained through it all.

Total yearly Binance Futures PnL: +$4,177,316.217
First, the best trades: a collection of my biggest hitters this year.
A reminder that most of your profits will very likely come from a handful of trades you must try to nail.
1) $AR Long on November 3, 2022.
Profit: +$206,937

Meta announced a partnership with Arweave, but price initially did not move at all. I decided to long a small-ish amount of $AR and sleep on it.
Woke up the next day 60% higher, and took profit.

Read 22 tweets
Dec 12, 2022
🧵FTX CEO John Ray's prepared statement for tomorrow's hearing:
1) Customer assets from FTX were commingled with assets from the Alameda trading platform.
2) Alameda used client funds to engage in margin trading which exposed customer funds to massive losses.
3) The FTX Group went on a spending binge in late 2021 through 2022, during which approximately $5 billion was spent buying a myriad of businesses and investments, many of which may be worth only a fraction of what was paid for them.
4) Loans and other payments were made to insiders in excess of $1 billion.
5) FTX stored certain private keys to crypto assets without effective security controls
6) FTX used computer infrastrucure that gave senior management access to systems that stored customer assets
Read 4 tweets
Dec 12, 2022
CPI and FOMC together this week for the first time in a while, Tues and Wed respectively.

Expected:
-7.3% CPI (0.3% MoM), previous 7.7% (0.4% MoM)
-6.1% Core CPI (0.3% MoM), previous 6.3% (0.3% MoM)
-75% odds for 50BPS increase, 25% for 75BPS, previous 75BPS.

A few things:
1/ Don't get confused by the 7.3% estimated CPI compared to 7.7% previous month.

Since yearly CPI is a 12-month sliding window, this does not mean we are expecting a drastic slowdown in inflation, only that Nov 2021 was a 0.9% increase and is not counted in YoY any more.
2/ That is why even though yearly CPI is expected to be 0.4% lower than the previous one (7.3% vs 7.7%), the monthly change is only 0.1% lower (0.4% to 0.3%).

Remember yearly values are a sliding 12-period window, meaning we remove the oldest value to replace it with a new one.
Read 7 tweets
Nov 29, 2022
Incredible @coffeebreak_YT commentary & interview with Scam Bankrun-Fraud on Youtube.

🧵👇
1/ Sam claims he donated as much to Republicans as to Democrats, except the donations to Republicans were "dark", so as to not show publicly.

He mentions that he did that to soothe the media and not draw their ire because "they are all secretly liberal".
2/ Sam did not build, and does not know of, a secret backdoor to FTX systems to alter financial books without raising flags with auditors.

He "obviously did not build such a thing, does not even know how to code, could barely use the FTX system".
Read 5 tweets
Nov 6, 2022
1/n In 4 days at 13:30 UTC the CPI numbers for October drop.

-Headline CPI is expected to have gone up 8% from last year, 0.7% from last month.
-Core CPI is expected to have gone up 6.5% from last year, 0.5% from last month.
2/n Like every month as long as inflation is the hottest topic, you should be ready to max long or max short strong deviations from forecasts (ideally with a bot).

Eventually, one of them will provide a generational trade you can boast about to your grand-kids 40 years later.
3/n In the past months 0.2% deviations from forecasts have called for strong movements, but you can aim for larger to have a more secure trade.

I will probably be doing something like:
-<=7.8% && <=6.3% small long
-<=7.6% && <= 6.2% big long
->=8.3% && >= 6.7% small short.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(