STORY|by  marksimic33·293 views

Retrospective: Recent Coinbase Bug Bounty Award 2022

The underlying cause of the bug was a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account. This API is only utilized by our Retail Advanced Trading platform, which is currently in limited beta release. To give an example: A user has an account with 100 SHIB, and a second account with 0 BTC. The user submits a market order to the BTC-USD order book to sell 100 BTC, but manually edits their API request to specify their SHIB account as the source of funds.