TechFlow News, February 19 — Coinbase published an investigation report on its official blog regarding a previous vulnerability incident, stating that on February 11, 2022, it received a report from a third-party researcher identifying a flaw in the Coinbase trading interface. Coinbase promptly activated its security incident response team to identify and fix the vulnerability, resolving the underlying system issue without impacting customer funds.
Coinbase explained that the root cause of the bug was the absence of a logical validation check within the retail brokerage API endpoint, which allowed users to submit trades to specific order books using mismatched source accounts. This API is exclusively used by the retail advanced trading platform, which is currently in a limited beta phase.
For example, if a user had one account holding 100 SHIB and another account with 0 BTC, they could manually modify their API request to specify the SHIB account as the funding source while submitting a market order to sell 100 BTC on the BTC-USD order book—effectively selling 100 BTC despite not holding any. In response, Coinbase stated it paid the reporter a $250,000 bug bounty. However, many comments under its tweet argued that this reward amount was too low.




