Coinbase-Overstock Glitch: The Cost of Mixing Up Bitcoin Cash, Bitcoin

Talk about an unexpected bargain.

Flickr / jane.boyko

There’s nothing like a good deal when you’re shopping online using cryptocurrency. But you’d be hard-pressed to find a better deal than the one journalist Brian Krebs found on internet retailer Overstock.

The thing is, the bargain wasn’t exactly intentional. It was a glitch on either Coinbase — a popular online crypto exchange — or Overstock’s end that let shoppers use bitcoin cash (BCH) interchangeably with bitcoin (BTC). This bug also allowed shoppers to get a refund in BTC for what they had paid for in BCH. A malicious actor could have abused this glitch to make away with thousands of dollars worth of bitcoin in just a few clicks.

The North Carolina-based bank security firm, Bancsec, tipped off Krebs, who’d originally reported on this potential Coinbase-Overstock flaw. The journalist proceeded to test this by purchasing a $78 motion sensor with BCH when he should have been paying in BTC.

“Logging into Coinbase, I took the bitcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin,” Krebs explained on his website. “The site responded that the payment was complete. I had just made a $78 purchase by sending approximately USD $12 worth of bitcoin cash.”

Even though that’s about an 85% discount on the purchase, it didn’t stop there. When Krebs cancelled his order and requested a refund the site sent him $78 worth of BTC instead of what he had actually paid.

Krebs noted that a dishonest customer could have purchased a $100,000 diamond ring, sent over $15,000 worth of BCH, requested a refund, and scammed Overstock out of $85,000.

Coinbase told Krebs that the this bug existed for about three weeks, which is quite a long time considering the amount of money that was at stake. But it seems neither Coinbase or Overstock are taking the rap for this oversight; Overstock says they didn’t change anything in the underlying code of their site, while Coinbase claims it was caused by “the merchant partner improperly using the return values in our merchant integration API.”

Regardless of whose fault it was, at least there were no reports of large sums of money scammed from the online retailer.

Related Tags