How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis.
Bounty: $250,000
At first, I decided to poke around the new Advanced Trading platform to find out how orders are sent and what a successful one looks like.
I put an ETH-EUR order from the UI, and grabbed the request that was sent.
I noticed the API needs product, source and target account ids.
In order to get a failed message, I changed the product_id to BTC-USD, but did not change the two account ids (source is my ETH wallet, target is my EUR wallet).
Expecting an error because my account is not allowed to trade the BTC-USD pair, the order just … goes through.
I just used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, a pair I do not have access to, without holding any BTC.
Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book.
For my last test before reporting this to make sure, I:
-send 9M SHIB to my Coinbase account
-change source account id to my SHIB account on Coinbase
-put a 50 BTC limit sell order using 50 SHIB
-ask people around me if they are, too, seeing it.
And quite frankly, there aren't many things quite as sobering yet terrifying as realizing:
-you just put a 50 BTC limit sell order using 50 SHIB.
-everyone else can see it.
5 minutes later, I was sending this initial tweet.
Barely 3 minutes after my HackerOne report is sent, I get an answer from the Dev team.
After quickly explaining the exploit and supplying a proof of concept, I insist on how Coinbase needs to immediately stop all Advanced Trading, incl. and most importantly posting orders.
Less than 30 minutes later, all markets there were in cancel-only mode.
For a malicious user, a few attack vectors included:
-shorting on ftx/binance and flashing big limit sells (>100k btc) to make the market freak out.
-actually executing a constant selling pressure by using 50 SHIB to sell 50 BTC every minute.
-trying to withdraw the proceeds.
We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way.
While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug.
Special thanks to:
-the community for helping me reach out faster.
-@coinbase for its reaction speed.
-hackerone.com for existing.
While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ Yesterday's Doge trade: On reacting, Sizing, and being degenerate when you need to be.
The essence of News Trading isn't speed, it is knowing when to size up.
I all started when someone in the Tree News Discord posted that they were seeing the Doge icon as the Twitter logo.
2/ People were mostly in disbelief, and Twitter caching didn't help because some people were still not seeing it.
A minute later, DB tweeted the new logo as well, at which point I started buying: first $3m, then $2m, and a final $3m a bit later.
Final position: $8m.
3/ Some of the factors that made me buy so much were:
-The picture is the actual DOGE logo, not just a random dog.
-Doge needed a fresh narrative and had not been moving much for a while.
-The information was very fresh which made me enter early enough.
🧵Tree's best and worst trades of 2022.
Lots of missed opportunities, some not utilized fully, but let's have a small recap of what we went through this year!
At the end: a list of lessons I gained through it all.
Total yearly Binance Futures PnL: +$4,177,316.217
First, the best trades: a collection of my biggest hitters this year.
A reminder that most of your profits will very likely come from a handful of trades you must try to nail.
1) $AR Long on November 3, 2022.
Profit: +$206,937
Meta announced a partnership with Arweave, but price initially did not move at all. I decided to long a small-ish amount of $AR and sleep on it.
Woke up the next day 60% higher, and took profit.
🧵FTX CEO John Ray's prepared statement for tomorrow's hearing: 1) Customer assets from FTX were commingled with assets from the Alameda trading platform. 2) Alameda used client funds to engage in margin trading which exposed customer funds to massive losses.
3) The FTX Group went on a spending binge in late 2021 through 2022, during which approximately $5 billion was spent buying a myriad of businesses and investments, many of which may be worth only a fraction of what was paid for them.
4) Loans and other payments were made to insiders in excess of $1 billion. 5) FTX stored certain private keys to crypto assets without effective security controls 6) FTX used computer infrastrucure that gave senior management access to systems that stored customer assets
1/ Don't get confused by the 7.3% estimated CPI compared to 7.7% previous month.
Since yearly CPI is a 12-month sliding window, this does not mean we are expecting a drastic slowdown in inflation, only that Nov 2021 was a 0.9% increase and is not counted in YoY any more.
2/ That is why even though yearly CPI is expected to be 0.4% lower than the previous one (7.3% vs 7.7%), the monthly change is only 0.1% lower (0.4% to 0.3%).
Remember yearly values are a sliding 12-period window, meaning we remove the oldest value to replace it with a new one.
1/n In 4 days at 13:30 UTC the CPI numbers for October drop.
-Headline CPI is expected to have gone up 8% from last year, 0.7% from last month.
-Core CPI is expected to have gone up 6.5% from last year, 0.5% from last month.
2/n Like every month as long as inflation is the hottest topic, you should be ready to max long or max short strong deviations from forecasts (ideally with a bot).
Eventually, one of them will provide a generational trade you can boast about to your grand-kids 40 years later.
3/n In the past months 0.2% deviations from forecasts have called for strong movements, but you can aim for larger to have a more secure trade.
I will probably be doing something like:
-<=7.8% && <=6.3% small long
-<=7.6% && <= 6.2% big long
->=8.3% && >= 6.7% small short.