Coinbase Bans me After i Help them fix major Exploit

[David19]

So everything started back in June 2015. After using Coinbase as my "online btc vault" for about 4-5 months keeping anywhere from $2500 worth of btc to $10,000. I got very interested on how their "Vault" system works and how safe it is. After testing it out and experimenting with it for over a week i was able to find one of the most major exploits on the site. In a nutshell what the exploit allowed me to do was to put my account into negative balance while withdrawing the btc, which basically resulted in me being able to cashout infinite Bitcoins even if i didn't have them on my account. Instead of abusing the exploit i have decided to help Coinbase fix the exploit by telling them step to step instructions on how to reproduce the bug on hackerone. After they were able to fix the exploit i was rewarded a measly $5,000 bounty, which i thought was unfair and was expecting to get upwards of $25,000. I helped them fix something that could have damaged them in hundreds of thousands of dollars, maybe even Millions if the exploit was executed correctly with the right amount of people. Anyway so after i got my bounty and moved on they put some kind of "secret" ban on my account, which i was unaware of and got no email at the time telling me the account was banned or locked in any kind of way. So i find out that they put lock on my bitcoins and whatever i would send to my coinbase wallet i couldn't withdraw or use it in any way. I sent them few support emails and got no clear response. After further investigation into their Vault i was able to discover almost identical exploit which resulted in the same manner as the previous one. After informing Coinbase on the new exploit it took them few months to reply on hackerone and after they did they fully put ban on my coinbase account for no relevant reason and after that they sent me request on hackerone to give them further instructions, which they clearly knew that i was unable to do that because moments before they asked for that they had banned my account. Time passed with no clear reply from Coinbase and they labeled the newer exploit as "Informative" Rewarding me with no bounty. After trying to replicate the new exploit on a new account it was clear that they had fixed it and didn't reward me for it.

I didn't want this to go public and tried to deal with Coinbase in private, but with no clear resolvement i have no other choice, but to just put this out for everyone.

Proof:

first exploit resolvement on hackerone:

https://i.imgur.com/GgD0L0l.png

proof of the first exploit being performed correctly:

https://i.imgur.com/x2miZOk.png https://i.imgur.com/bUKlXhY.png

proof of ban from coinbase after they fix the second exploit:

https://i.imgur.com/C3uyA2V.png

second exploit being marked as "Informative" after they had fixed it and banned me from accessing coinbase:

https://i.imgur.com/Z8EXORY.png

NOTE: I only used Coinbase to keep my bitcoins in their wallet. I have never used Coinbase as a mean to buy or sell my bitcoins.

[techmanuk]

It's worrying that these sorts of bugs existed in their systems..

At least you got $5000 out of it.

[Slark]

Yet another reason not to use online wallets. And keep your FIAT and coins deposited while trading as short as you can. Coinbase might be big, but their system is not free from all kinds of bugs.

[Denker]

Coinbase is a bunch of crooks and a**holes!
Hope this was a lesson for you!
I know you did it with best purposes, but you also had been quite naive and got a nice kick in the butt for that.
I myself hope that Brian and his dipshit crew will not be needed anymore in a few years.I mean we already don't need them, but there are still more then enough guys using their service which I don't understand.
They are no real Bitcoiners.They never had be!

[David19]

Yet another reason not to use online wallets. And keep your FIAT and coins deposited while trading as short as you can. Coinbase might be big, but their system is not free from all kinds of bugs.

It was never about them as "online wallet" service. It was more about them low balling me on their bounties and not paying me for the second exploit. Wasting months of my time for nothing. Doing sketchy stuff that would never be expected from a big business like Coinbase. Banning my account for no reason, but to just have an excuse for not paying for the second exploit report.

[bitsmichel]

Yet another reason not to use online wallets. And keep your FIAT and coins deposited while trading as short as you can. Coinbase might be big, but their system is not free from all kinds of bugs.

It was never about them as "online wallet" service. It was more about them low balling me on their bounties and not paying me for the second exploit. Wasting months of my time for nothing. Doing sketchy stuff that would never be expected from a big business like Coinbase. Banning my account for no reason, but to just have an excuse for not paying for the second exploit report.

I doubt it is legal to close an account with that amount of money, but I am not a lawyer. I did hear about Coinbase closing accounts for gambling related issues. Maybe closing accounts is part of their business model 

i have decided to help Coinbase fix the exploit by telling them step to step instructions on how to reproduce the bug on hackerone. After they were able to fix the exploit i was rewarded a measly $5,000 bounty

It's odd that you got a bounty while at the same time your account was closed. Did you use the same username on hackerone and coinbase?

[David19]

Yet another reason not to use online wallets. And keep your FIAT and coins deposited while trading as short as you can. Coinbase might be big, but their system is not free from all kinds of bugs.

It was never about them as "online wallet" service. It was more about them low balling me on their bounties and not paying me for the second exploit. Wasting months of my time for nothing. Doing sketchy stuff that would never be expected from a big business like Coinbase. Banning my account for no reason, but to just have an excuse for not paying for the second exploit report.

I doubt it is legal to close an account with that amount of money, but I am not a lawyer. I did hear about Coinbase closing accounts for gambling related issues. Maybe closing accounts is part of their business model 

i have decided to help Coinbase fix the exploit by telling them step to step instructions on how to reproduce the bug on hackerone. After they were able to fix the exploit i was rewarded a measly $5,000 bounty

It's odd that you got a bounty while at the same time your account was closed. Did you use the same username on hackerone and coinbase?

I didn't lose any money because of the closure of my account. What i lost was providing them more steps to be able to completely replicate the second exploit, which  i think i had given them enough. What i think they did was banned my account so i wasn't able to provide them with more info that they have requested from me and therefore they didn't pay me for the second bounty and closed my account for no apparent reason.

If coinbase is pulling off this kind of stuff to avoid paying me, you can think of what else they might be doing.

[saturn643]

Did you tell them that you were going to be doing this kind of experimentation with your account? They might have banned you because your account was doing (in their eyes) sketchy stuff since you are experimenting and finding holes in their system. If you were malicious, then that could be really bad for them. They might have banned you if they did not know you were doing that.

[bitbaby]

Yet another reason not to use online wallets. And keep your FIAT and coins deposited while trading as short as you can. Coinbase might be big, but their system is not free from all kinds of bugs.

It was never about them as "online wallet" service. It was more about them low balling me on their bounties and not paying me for the second exploit. Wasting months of my time for nothing. Doing sketchy stuff that would never be expected from a big business like Coinbase. Banning my account for no reason, but to just have an excuse for not paying for the second exploit report.

I doubt it is legal to close an account with that amount of money, but I am not a lawyer. I did hear about Coinbase closing accounts for gambling related issues. Maybe closing accounts is part of their business model 

i have decided to help Coinbase fix the exploit by telling them step to step instructions on how to reproduce the bug on hackerone. After they were able to fix the exploit i was rewarded a measly $5,000 bounty

It's odd that you got a bounty while at the same time your account was closed. Did you use the same username on hackerone and coinbase?

I didn't lose any money because of the closure of my account. What i lost was providing them more steps to be able to completely replicate the second exploit, which  i think i had given them enough. What i think they did was banned my account so i wasn't able to provide them with more info that they have requested from me and therefore they didn't pay me for the second bounty and closed my account for no apparent reason.

If coinbase is pulling off this kind of stuff to avoid paying me, you can think of what else they might be doing.

My guess is they don't want to pay you anymore to search for any more exploits in their system, which is why they closed your access to coinbase vault because they know that you're going to keep trying to find more, if you were able to get $5000 out which they paid you for the first exploit you pointed out then I don't see any problem with it honestly. You can email them and ask them that if there are any bounties for finding more exploits, if they say 'no' then just move on.

With your abilities I am sure you can get other bounties from various BTC sites, such as Exchanges, Casinos etc. but I commend you for not taking advantage of their holes and reporting them as a responsible person, not a lot of people would have done that.

[favdesu]

strange, but you got your money out? did you even use their service?

[David19]

strange, but you got your money out? did you even use their service?

When the full ban was applied, i was able to get my money out. Biggest problem now is that they didn't pay me for the second exploit i reported and fixed it and labeled it as "Informative" whilst banning my account for reason they didn't specify.

[kpitti]

Good that you got paid for first expolited hole in their system. Would be helpful to see Coinbase statment about this. As they are public service they should care about reputation.

[David19]

Good that you got paid for first expolited hole in their system. Would be helpful to see Coinbase statment about this. As they are public service they should care about reputation.

They have already responded here: https://www.reddit.com/r/Bitcoin/comments/3xksss/coinbase_bans_me_after_i_help_them_fix_major/


I am still working with coinbase for further clarification.

[bitlancr]

Well, I can keep adding reasons to my list to not use online wallets or at least as limited as I possibly can.
Then again, in your case you did held a lot of bitcoins worth on your wallet, you shouldn't have done that either. I understand why you'd wanna test it though, but I wouldn't dare to even try out the vault with so many bitcoins.

[amacar2]

What a silly bug they have in their wallet, get more about what was the bug after reading there reply from them in reddit post.
You may have earned a lot rather than helping them but they are trying to be smart by saying banning have been done from different department.
Feeling unsecured from online wallet and exchangers.

[David19]

Well, I can keep adding reasons to my list to not use online wallets or at least as limited as I possibly can.
Then again, in your case you did held a lot of bitcoins worth on your wallet, you shouldn't have done that either. I understand why you'd wanna test it though, but I wouldn't dare to even try out the vault with so many bitcoins.

I only stored small portion of my coins on coinbase and only for short period of time.