The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed. The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only accidental loss for Coinbase, and no exploitation attempts.
The Security team thanks @vicompany for the quick disclosure, and also the internal team for pushing a fix within hours. We do appreciate @vicompany's patience as the full communication loop back to HackerOne took significantly longer than the fix deployment cycle. Short Summary: By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account. If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want. When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.
Steps To Reproduce: * Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw exception when receiving funds smart contract for example) * Transfer appropriate funds to smart contract. * Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet. * Repeat until you have more than enough ethereum in your Coinbase wallet. * Cash out, transfer to off site wallet
For some more information see https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty