Bug Bounty Report ✅

• Bug : Ethereum account balance manipulation

• Bug Type : Business Logic Errors

• Organization : Coinbase

• Bounty : $10000

• Technology : Blockchain or Web 3

Read This Report : 👇

📌 Summary :

➡️ By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account.

➡️ If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed.

➡️ But on Coinbase these transactions wasn't not reversed, meaning someone could add as much ether to their balance as they want.

When looking Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.

📌 Steps To Reproduce:

• Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet

(always throw exception when receiving funds smart contract for example)

• Transfer appropriate funds to smart contract.

• Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.

• Repeat until you have more than enough Ethereum in your Coinbase wallet.

• Cash out, transfer to off site wallet

How It Could Be Fix :

➡️ The issue was fixed by changing the contract handling logic.

#bugbounty #bugbountytips #cybersecurity #infosec #hacking

How to Find XSS Like a Pro 🫥

To find XSS (Cross-Site Scripting) bugs, you can use combination of manual testing and automated tools.

Some steps you can follow to find XSS:

➡️ identify potential entry points for XSS attacks, such as input fields in web forms, query parameters in URLs, or file uploads.

➡️ Use a web application scanner to test these entry points for XSS vulnerabilities.

These scanners can automatically scan your web application and identify potential vulnerabilities, including XSS.

➡️ Manually review your website's code for any places where user-supplied input is not properly sanitized or validated.

For example, look for places where the website includes user input in the page without properly encoding it first.

➡️ Test the website by trying to inject various types of malicious input, such as JavaScript code, into different parts of the website.

For example, try entering JavaScript code into forms, URL parameters, and other inputs to see if the website is vulnerable to XSS attacks.

➡️ If you find any potential XSS vulnerabilities, verify them by attempting to exploit them.

This will help you confirm that the issue is real and that it needs to be fixed

Once you have identified and verified any XSS vulnerabilities, work with your development team to fix the issues and prevent them from happening again in the future.

#bugbounty #bugbountytips #cybersecurity #infosec #hacking