Tree of Alpha describes how he alerted the exchange to a vulnerability that could have caused a "potential crisis" — but critics say his bug bounty should have been much higher.
An engineer has revealed how he spotted a flaw in Coinbase's advanced trading feature that could have allowed malicious users to sell Bitcoin without owning it.
In a detailed Twitter thread, he described "poking around" the new feature to understand how it works — and while attempting to get an error message, a significant vulnerability emerged.
"Hoping this is a UI bug, I check the fills on the order, and they match the API: those trades really happened, on the live order book."
Taking Urgent Action
Tree of Alpha had spotted this vulnerability on Feb. 11 — the Friday before the Super Bowl — and immediately began attempting to reach out to Coinbase executives to inform them of this vulnerability.
At the time, he had described the exploit as "potentially market-nuking" — underlining its severity.
Within 30 minutes, all of the markets in its advanced trading feature were in cancel-only mode, with Coinbase CEO Brian Armstrong reaching out at the time to say thank you.
The engineer says other attack vectors that a malicious user could have deployed included shorting on FTX or Binance — and flashing big limit sells "to make the market freak out." He wrote:
"We will never know what exactly could have happened should a black-hat hacker try to exploit it, and it is better this way. While I could have, myself, tried to flash huge limit sell orders, responsible testing requires I only do the necessary to assess the extent of the bug."
Tree of Alpha thanked his followers for ensuring that he could reach the right people within Coinbase as a matter of urgency — and praised the exchange for fixing the vulnerability quickly. He added:
"While I sometimes have my beef with Coinbase, I am not sure I could have reached any other CEX that quickly in the same situation."
"$250k? Would you rather folks just exploit these bugs, and nuke Coinbase and their customers' assets to zero? What gives?"
Others were more critical that such a vulnerability could even go live in the first place:
"Extremely unsettling that such a basic flaw can go undetected!"