Coinbase | Trading bug (high level) detected thanks to Tree of Alpha

[noorman0]

Recently, the Tree of Alpha (ToA)'s twitter account caught the public's attention that Coindesk covered a summary of the storyline, you can read it here.

In short (technically), the "Advanced Trading" bug allows users to place orders for coins that you don't have (e.g BTC) by using other coins in the portfolio into equivalent units. In his experiments, ToA managed to sell (filled) 0.0243ETH as 0.0243 BTC and 50SHIB as 50BTC.
Bug detail explanation by ToA

By the way, ToA claims to have been awarded a $250k bounty for his efforts (more than the limit offered by the bug bounty program). If we look at the daily trading volume of Coinbase, which reaches an average of over $2B, is the bounty worth it? Actually it's easy to get more than that if he initially want to "play". Many comments on his twitter that this guy is the savior of the market.

[Beparanf]

Recently, the Tree of Alpha (ToA)'s twitter account caught the public's attention that Coindesk covered a summary of the storyline, you can read it here.

In short (technically), the "Advanced Trading" bug allows users to place orders for coins that you don't have (e.g BTC) by using other coins in the portfolio into equivalent units. In his experiments, ToA managed to sell (filled) 0.0243ETH as 0.0243 BTC and 50SHIB as 50BTC.
Bug detail explanation by ToA

By the way, ToA claims to have been awarded a $250k bounty for his efforts (more than the limit offered by the bug bounty program). If we look at the daily trading volume of Coinbase, which reaches an average of over $2B, is the bounty worth it? Actually it's easy to get more than that if he initially want to "play". Many comments on his twitter that this guy is the savior of the market.

Coinbase is a Centralized exchange so there's no for the ToA guy can freely move the money that he get out of Coinbase without being caught or followed since Coinbase applies mandatory KYC to all there customer and I'm pretty sure that they will find this exploit sooner or later once they do an audit so the best choice for the guy who found the bug to get a clean money as a reward is to report it and accepts the reward money in clean way. A little greediness on his side will gonna cost him a lot.

PS: The link to the article showing an error 404. It seems it was removed already.

[noorman0]

Coinbase is a Centralized exchange so there's no for the ToA guy can freely move the money that he get out of Coinbase without being caught or followed since Coinbase applies mandatory KYC to all there customer and I'm pretty sure that they will find this exploit sooner or later once they do an audit so the best choice for the guy who found the bug to get a clean money as a reward is to report it and accepts the reward money in clean way.

If KYC is a mandatory requirement, surely all customers have been verified and do this exploit not necessarily from his own account. I think there are actually many ways, he could open an offer to sell his coinbase balance heavily discounted on other sites including the darkweb or convince a verified customer to withdraw his BTC gradually.

A little greediness on his side will gonna cost him a lot.

You are right in this, but often people forget when faced with the real situation.

PS: The link to the article showing an error 404. It seems it was removed already.

Fixed, thanks

[Beparanf]

Coinbase is a Centralized exchange so there's no for the ToA guy can freely move the money that he get out of Coinbase without being caught or followed since Coinbase applies mandatory KYC to all there customer and I'm pretty sure that they will find this exploit sooner or later once they do an audit so the best choice for the guy who found the bug to get a clean money as a reward is to report it and accepts the reward money in clean way.

If KYC is a mandatory requirement, surely all customers have been verified and do this exploit not necessarily from his own account. I think there are actually many ways, he could open an offer to sell his coinbase balance heavily discounted on other sites including the darkweb or convince a verified customer to withdraw his BTC gradually.

I doubt that someone in the darkweb will buy this kind of offer with million dollars since they will think that why would the seller  will sell the exploit info while he can use it for his own benefits? They will not risk huge money for not a sure profit. It's like selling dice script or other tricks here that promise for a profit yet why will the seller it rather thn use it for there personal gain.

The guy who reported it do the right thing to have secure profit IMHO.