Coinbase’s API Security Nightmare
10 February 2023
Introduction
Coinbase is the world’s largest cryptocurrency exchange. In Feb 2022, a bug in Coinbase’s API allowed an attacker to trick Coinbase into selling coins the attacker did not have. This API security issue allowed attackers to effectively print crypto money by selling, for example, Bitcoins they did not have on Coinbase – in exchange for USD.
Thankfully for Coinbase and the entire crypto market, the attacker that found this hack put on his white hat and disclosed the issue to Coinbase. It’s hard to overstate the amount of damage this API security bug could have caused to Coinbase had it been exploited by a malicious attacker.
Market-Nuking
This means that a tech – savvy attacker could manipulate the API request and trick Coinbase into selling coins he did not have. This is the crypto equivalent of convincing your bank to transfer money you don’t have, and since Coinbase can sell your coins for USD – it is exactly that.
If this bug were to be exploited, it would let an attacker effectively print money using the API. Coinbase could be immensely hurt – financially and in reputation. (This has already happened in the past to the then-leading crypto exchange, called Mt. Gox).
API security issues are often dramatically damaging – as the API by its nature allows users to directly access and modify the database and business logic.
Timeline
The action took place over 6 hours, two weeks ago. Security researcher @Tree_of_Alpha hacked the API and found the security bug at 10:16 am and called for an immediate response by Coinbase.
Feb 11th, 10:16 am PST:
Within 90 minutes, by 11:42 am PST, Coinbase engineers reproduced the issue, understood the implication, and shut down new orders.
Such a timely response is to be commended. Everyone has API security issues; quick detection and remediation of issues is the hallmark of successful companies.
By 4:01pm PST, Coinbase engineers fix the issue and release a fix, resolving the incident. @Tree_of_Alpha was awarded a quarter of a million dollars for his work.
Technical Details
One of Coinbase’s platforms includes an API endpoint which allows selling one coin for another coin. This endpoint included the amount to sell, and also the details of which account to sell from (which coin).
For example, an attacker might sell some Bitcoin in exchange for USD, but trick the API by specifying the source account to be a separate account of his – e.g., his Ethereum account, rather than his Bitcoin – thus in practice selling his Ethereum, but getting the Bitcoin value for it. (1 Bitcoin is worth 15 Ethereum, and this practice can be done with any coin – effectively allowing the printing of infinite money).
To trigger the exploit, the attacker needed merely to modify a single field in the API request – the source account_id – to another one of his own accounts, containing a “cheaper” coin.
To quote Tree of Alpha:
“While every asset has a default wallet, you can have several wallets for a specific asset. The API was trying to work around that by specifying which wallet the funds should come from, without ever checking if that wallet was the required type.”
To quote Coinbase’s own retrospective:
“The validation service would check to determine whether the source account had a sufficient balance to complete the trade, but not whether the source account matched the proposed asset for submitting the trade.”
Implication
This particular attack requires no special information or technology, no insider knowledge, no 0-day issues. It did not require a nation-state, nor an army of hackers – just a lone, talented, curious attacker, and a single oversight in the code.
This happened to Coinbase, which has one of the strongest engineering teams in the world, with a very high security awareness.
If it happened to Coinbase, it could happen to you.
Is your API secure? Traditional security tech such as WAFs is powerless to detect such attacks. How does a CTO or CISO make sure their API is immune to such attacks?
There are two main strategies.
Proactive API Attack Simulation
Researchers like Wib’s team are leading technology that proactively simulates attacks at the API level, by creating variants of all possible attacks on the API, analyzing the results, and deducing whether the response indicates that the API has a logical bug in it – a vulnerability.
Our Attack Simulator finds bugs like the one that almost brought down Coinbase (and with it, potentially the entire crypto industry). The diligent CTO or CISO would be well-advised to seek out a proactive attack simulation against their APIs.
Find your API issues before random attackers on Twitter do.
Proactive API Traffic Detection
The second strategy the diligent CISO – one aware of the importance of API security issues – would take, is a defensive tool such as Wib’s Traffic Inspection. This tool detects API attacks by detecting the anomalous pattern and can proactively block the attacker, before they empty your wallets.
Full Lifecycle API Security
At Wib, we work with enterprises around the world to help them defend their API security. API attacks are the #1 attack vector – and Coinbase’s near “market nuke” bug illustrates why. Our approach of Full Lifecycle API Security allows enterprises to make sure their APIs are secure.
If you read all the way here, you probably already realize that you need an API security solution, and as soon as possible. Contact us today to schedule a demo for how we can help you avoid problems that even Coinbase’s engineers could not stop.
