Bitcoin Forum

Hack bug duplicate transaction


If a vulnerability occurs in the system, where you buy eth and the exchange due to some bug doubles the purchase, and you manage to withdraw it to your wallet twice, what would be your responsibility in this bug?
Could the exchange charge you (has kyc) in the future for this "hack"?
Or should you take advantage of this flaw and create infinite money? Do you think it would be a police case?

You can't create infinite money because the exchange have a limited supply.

And yes, they can and will sue you. There was a few similar cases[1][2] in the past where people got more money (not necessarily by exploiting a bug) and the exchange sued them (or at least threatened to).

[1] https://decrypt.co/108586/crypto-com-sues-woman-10-million-mistake
[2] https://www.coindesk.com/business/2022/10/17/coinbase-threatens-to-sue-crypto-traders-who-profited-from-pricing-glitch/

I'm sure later after you withdraw some money from the exchange due to hack/bugs police will seize you.


If I were you if you found bugs or holes that are vulnerable for attacks then since most exchanges have a bug bounty program reporting it is the best because they will also give you rewards.

What is the best way for me to report this failure to the exchange?

A way to reach their support can be found on the exchange's website, look into the website's footer/on their help center/for a message symbol on the bottom right or on their menu bar.

Some exchange's also has a separate page for bug bounties which can be typically found on the footer as well, you may do a "Ctrl+F" command to save time.

All exchanges have their own way or a guide on how to report bugs/security vulnerabilities sample Kucoin they have a guide on how to report these from this link below

- https://www.kucoin.com/news/en-kucoin-bug-bounty-program-launched

And you will be rewarded depending on how critical it is.

The exchange will surely track you for this thing and may be freeze your account and threaten you.
But would you withdraw the money at first place ? Would you be able to live with the fact that you stole someone's money.
It is definitely similar to stealing someone's money and so may be yes there might be a police case as well.
Does your morals support you for this action. There are things which we should avoid to live a peaceful life and this is definitely one of it.

Your responsibility if you discover this kind of bug should be to return it back to the exchange, it would be foolhardy to try and go on the run with this money when the exchange knows about you through your KYC documents, it might take sometime but the fact still remains that the exchange would come after you and would drag you to court, especially if the sum of money is quite substantial.
You can't create infinite money for one obvious reason already mentioned earlier in this thread, and also because it usually does not take long before the exchange would detect what's going on and immediately lock your account.

You can leverage bugs to earn money (not infinity) by reporting them to support. Indeed, in the past there have been some disappointing endings for unpaid bug hunters even at extreme vulnerability levels (for example (https://bitcointalk.org/index.php?topic=3240268.0)). I think you should first withdraw a large amount as a "collateral" bounty before reporting it. lol

Regardless of what an exchange will do to recover their fund, why would someone take advantage? You are being dishonest here. Don't you think it's something unethical? You must return the sum back to the exchange by contacting their support.
Coincidently, I got $50 worth of BDT today from a user of Binance P2P. I have sold $50 through Binance P2P today and the guy sent me a worth of BDT twice. I instantly called the number from which I have been sent the money but he didn't pick up the call. Later, I PMed him in the Binance P2P chat and got no response. I kept calling him and finally, he picked up the call. Note that he had nothing to do as according to the order, I have released the USDT. Also, for $50 worth of BDT, I think no one will sue you here because it requires valid proof. Well, cryptocurrency is illegal here and he can't claim the money legally because he will also face legal issues because of transacting cryptocurrency. Anyway, I asked him for his Binance pay id and paid him $50 one more time. It's ethics, you shouldn't be unethical.

I contacted chat support and they asked me to send an email.  I will send the email reporting about everything that happened and how the duplicity is done. Peace.