One of the most prominent crypto exchanges, Coinbase, had a bug in their system which could have been exploited by malicious users to steal Ether. However, VI Company, a Dutch FinTech firm, found the bug and alerted Coinbase, helping the exchange avoid a potentially serious hacking incident.
Blockchain technology that the cryptocurrencies are built upon is safe. The encryption technology is powerful, and hackers will need several billions of years to break the private key-public key encryption with the currently available computing technology. Also, the consensus mechanism that requires miners to furnish proof of work (POW) before they can create a new block is safe, because the network is completely decentralized and miners use very powerful computers that include Graphics Processing Units (GPUs) with their central processing unit (CPU). For a hacker using the currently available computing technology, overpowering this decentralized network and capturing the majority of computing power is impossible. This makes the foundation of cryptocurrencies safe from hackers. However, cryptocurrency exchanges are websites, and coins stored in the ‘Hot’ wallets are actually stored on the website, which has centralized servers and hence much easier for the hackers to exploit. It’s noticeable that all the major incidents of hacking related to cryptocurrencies involved hacking the exchanges. Crypto exchanges that have bugs in their code are especially vulnerable.
Coinbase had one such bug, which was fortunately detected by a few helpful people in December 2017.
Smart contracts, i.e. pieces of code that enable conducting legal-like functions such as taking control of an entity if some conditions are fulfilled, and allowing transfer of cryptocurrency funds upon meeting some conditions, govern relationships between stakeholders in an Ethereum blockchain. They set Ethereum blockchain apart from other blockchains, and significantly raise the potential of Ethereum blockchain. VI Company wanted to gift some cryptocurrencies to the employees during Christmas 2017, and in the process make the employees familiar with smart contracts.
A few people in the VI Company understood that if one of the internal transactions of the contract failed, all the transactions were reversed, which is how the smart contract should work. But Coinbase’s internal accounts didn’t register the reversal. So, Coinbase thought the wallet had been credited with additional ether, but checking the wallet outside of Coinbase showed that no deposit had occurred. VI Company uploaded screenshots of its transactions and outlined the simple steps to collecting large number of Ethers unethically*:
- Setup a smart contract with a few valid Coinbase wallets and [one] final faulty wallet
- Transfer appropriate funds to smart contract
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet
- Repeat until you have more than enough Ethereum in your Coinbase wallet.
- Cash out
The Coinbase account would show the funds as being present even though they were never transferred to the wallets. So the “ether” that could be collected was just part of Coinbase’s records. A bad actor could then either transfer that out to a wallet not tied to Coinbase, or they could just convert that cryptocurrency to fiat money in a bank account. Large transfers done this way would have surely alerted Coinbase. And if they managed to transfer the money out, they’d still have to go through a laundering process. Coinbase is also pretty strict about verifying the real-world identity of the traders.
*Source of information: Gizmodo report
Coinbase rewarded US $ 10,000 to VI Company for their help, and the bug was fixed in a month.
While it’s clear that the cryptocurrency exchanges need to be forever vigilant to prevent bugs that allows hackers to steal large sums of cryptocurrencies, crypto traders also need to remain committed to the following security best practices:
- Know sufficiently about technology, for e.g. encryption, backup, wallets, anti-virus software etc.
- Always backup your computer, keep offsite backup, keep multiple backups, and encrypt your data with reliable encryption technology;
- Keep only small amount of coins in the ‘hot’ wallets, i.e the wallets in the exchanges, keep even smaller amount of coins in the mobile wallets, and keep majority of your coins in secured cold storage hardware wallets;
- Use reputed hardware wallets;
- Use a separate computer for crypto trading, and don’t ever browse internet using that;
- Keep all your passwords and encryption keys secured;
- Invest on paid anti-virus software, free ones are simply not enough to keep up with the tremendous pace at which new malware are being created;
- Use two-factor authentication;
- Seriously consider using a Linux machine for your crypto trading activities. If you must use Windows, then use administrator account only when you need to install important software and immediately demote yourself to regular user, to prevent malware getting installed on your computer.
Safety of your cryptocurrencies requires your constant vigilance.