Coinbase Suspends Accounts of a User Who Found an Exploit in Their System

According to a post on Reddit, a Coinbase’s customer helped the company to eliminate a potentially critical exploit in their system, but eventually found himself banned for no obvious reason.

The post‘s author who calls himself David Jones says that once he found a serious exploit that could have resulted in loss of all assets of the company and its subsequent bankruptcy. More precisely, the exploit was found in their Vault service employed by many users to store their bitcoins.

Jones told that he discovered an opportunity to withdraw an unlimited amount of bitcoins he didn’t own in the first place. Technically, no user can be capable of creating a negative balance, however, according to a screenshot made by Jones, this was exactly the thing. The problem could have resulted not in mere material loss of funds; had this information become public, the situation could have ended up in loss of several millions of dollars in addition.

Having received the information on the problem, Coinbase fixed the bug and provided Jones with their bounty reward to the tune of $5,000. However, in a short while Jones found his accounts suspended.

Jones states that shortly after he managed to find yet another bug in Coinbase’s system similar to the first one, but the company’s engineers tagged his second report as “informative”.

“When I discovered the second exploit they stopped responding to me for months, and after their response for more info on the exploit they had banned my account,” Jones wrote.

However, the Coinbase executives showed up in the comments to the post in question, and stated that the ban had nothing to do with the bug reporting.

“I can’t imagine any reason why those two events (finding an exploit and being ‘banned’) would be connected. So I’d guess they are totally unrelated,” Brian Armstrong, Coinbase CEO, wrote.

The other Coinbase executive, Charlie Lee, director of engineering, further commented on the issue:

“I won’t comment on the account ban for privacy or regulatory reasons. But I can say that the ban has nothing to do with this person’s hackerone reporting. And unfortunately, we cannot be more lenient on him just because he has previously helped us. The 2 issues are independent. And plus, the team that works with banning has no access or knowledge of the hackerone cases. This separation protects our customers’ privacy.”

Having described the exploit in brief, which generally was related to creating negative balances, Lee stated that the company has a decent protection against losing money due to similar bugs. He said that any account with negative value is blocked, and hence there was no banning, but only a blockage of sending any money off site due to the negative balance.

“The sum of all his account balances is never negative for this exploit. He was able to withdraw his own coins. It’s true that he now still had a positive balance in an account, but there was no way he could have withdrawn those coins externally. He had to first deposit coins to set his negative wallet balance positive first,” Lee said
“To be honest, awarding this exploit $5,000 was more than fair, if you ask me,” he added.