A potentially disastrous bug in an Ethereum smart contract would have theoretically given Coinbase customers unlimited Ethereum. However, it did not allow users to withdraw unlimited Ethereum, instead, users could send unlimited Ethereum.
Had the bug been exploited Coinbase likely would have been able to catch the suspects as all accounts are tied to identities. But it still worried customers and the crypto community:
“Coinbase bug made it possible to reward yourself with unlimited Ethereum.” https://t.co/BSigA3hiMT pic.twitter.com/zxrzRPyhjx
— WhalePanda (@WhalePanda) March 21, 2018
A report of the vulnerability was published yesterday with a severity level of 9/10. A quick response from Coinbase has resolved the vulnerability, however, it does raise questions over the security of smart contracts. Over the past year hundreds of millions of dollars in Ethereum has been lost due to smart contract vulnerabilities.
The two most infamous cases of smart contract vulnerabilities were the DAO and the parity bug. The DAO (Decentralised Autonomous Organisation) hack in June 2017 had a value of $70 million, but the hackers were stopped and Ethereum was refunded via a hard fork that created Ethereum Classic (ETC).
A parity wallets bug list Ethereum to the tune of $212 million when a junior developer ‘deleted’ essential code by accident. Due to the immutable nature of blockchain transactions it is thought this Ethereum can never be recovered. The most recent Coinbase scare will raise questions over smart contract security and rigorous peer reviews to ensure simple code mistakes do not result in irrecoverable funds.