Coinbase Smart Contract Was Open to Infinite ETH Withdrawals

March 22, 2018

The glitch was discovered accidentally, and no deliberate exploit has been made.

Coinbase, one of the best-used services for US-based customers, suffered a smart contract glitch, luckily without large-scale losses. A faulty smart contract logic existed for about a month, potentially allowing for infinite Ethereum balances. The exchange pointed out that no one had exploited the smart contract, although a mention was made about accidental losses.

The glitch in the smart contract allowed users to only add ETH to their Coinbase account, which is not the same as freely withdrawing Ethereum into a private-key wallet. And since Coinbase accounts are fully verified and linked to personalities, the smart contract exploit would have revealed any attempt to actually withdraw the ETH coins.

The issue was discovered in a bounty program and was rewarded with $10,000.

The crypto community was somewhat worried by the news:

Yet smart contract security remains a much bigger issue, and so far, some startup projects continue to run smart contracts without auditing, or by only relying on a bounty program. Smart contracts are still relatively new, and faulty logic has caused infinite withdrawals in the past as well, most notably in the DAO ICO hack.

Yet some believe the smart contract was acting correctly, while the problem was with the centralized Coinbase balance system. It was after the smart contract payments were handled that the potential for losses appeared. So far, it is unknown whether someone could have moved large amounts of ETH without revealing his real personality.

Usually, the output of smart contracts is considered correct, but the handling of the data may lead to common-sense mistakes, this time in crediting a user balance based on the contract’s output.

Until now, exchanges have protected themselves from double spending or incorrect balances by requiring a larger number of transaction confirmations. The biggest danger is in accepting zero-confirmation transactions.

So far, the most faults have been happening around ETH-based smart contracts, mostly because this is the best-used platform. But this remains one of the biggest security challenges for the crypto space.

Source: Read Full Article