- Users could cancel current orders, it was not possible to place new ones
- The hacker has helped CoinDesk, who originally reported the story
- Hacker also has a connection with electric car maker Tesla
A white hat hacker going by the pseudonym Tree of Alpha notified leading cryptocurrency exchange Coinbase of a vulnerability in its trading systems yesterday afternoon. Coinbase responded by suspending trading on its new Advanced Trading platform, CoinDesk reported.
A “potentially market-nuking” weak point
On Friday evening, Tree of Alpha tweeted they had discovered a “potentially market-nuking” vulnerability and were submitting a HackerOne report. HackerOne is a platform that runs bug bounty programs for Coinbase and other companies.
Tree of Alpha also tweeted:
The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices. No actual Coinbase storages (cold or otherwise) are impacted.
Two hours later, Coinbase disabled trading on its new Advanced Trading platform for technical reasons. Users could cancel current orders. It was temporarily not possible to place new ones.
Coinbase is the biggest cryptocurrency exchange in the US and one of the biggest worldwide. Oracles use its price feeds to determine the true token prices for DeFi protocols and other apps.
A few hours later, Coinbase had restored full access to its AT platform. CEO Brian Armstrong publicly tweeted his gratitude for Tree of Alpha’s help:
Tree of Alpha, you’re awesome – a big thank you for working with our team. Love how the crypto community helps each other out!
Hacker also helped CoinDesk
Among the platforms helped by Tree of Alpha is CoinDesk, who originally reported the story. A month ago, the white hat hacker contacted the leading crypto news outlet about an issue surrounding the site’s content management system.
The vulnerability allowed outsiders to view headlines of CoinDesk articles saved as drafts, swaying investment decisions based on non-public information. The issue was resolved.
Hacker’s Tesla connection
Tree of Alpha also has a connection with electric car maker Tesla. One day before CEO Elon Musk announced Tesla merchandise was available for sale in exchange for Dogecoin, which happened in the middle of last month, he tweeted that Tesla was ready to accept crypto payments on its site.
Tree of Alpha is in the habit of searching for revealing data that could be used for lucrative trades. Now and then, they find a major vulnerability to report.
He told CoinDesk on Twitter that he only leaks information when it becomes necessary to fix an error or vulnerability “to even out the playing field again.”
He adds that in this case, the Coinbase issue was a serious exploit that could have had disastrous consequences.
