Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Small thumb josipfranjkovic

Race condition when withdrawing bitcoin allows me to withdraw more than I am allowed to #CC1_587

Validby josipfranjkovic Missing Access Control

Description

Hi,

It is possible to withdraw a huge amount of money if you have a ready payout using race condition when withdrawing to BTC.
Just to make sure, I intend on returning the amount I "stole" from you as soon as you give me an address. Please do that.

POC

Set up your account and add BTC address to your account.
Win a bounty.
Go to cobalt.io/payouts and withdraw to BTC.
After confirming that you want to withdraw to BTC, a POST request will be made to https://cobalt.io/invoices/inv_{ID}.
Repeat this POST request multiple times in shortest possible time frame, and multiple awards will be sent to your BTC address. It is best to multi-thread the requests.

I was awarded $3k in BTC and I only got $1000 payout.

Criticality

It is pretty damn high since I just stole $2000 worth of BTC.

Suggested fix

No suggestion

HTTP Request
Small thumb josipfranjkovic

Please send me an address to which I am supposed to return this. I have no intention of stealing that money.

I am also not sure if this works on PayPal payout, you should check that too.

Small thumb josipfranjkovic

I would also like to apologize for doing this the way I did it. I will of course return this money as soon as you give me the address and it gets confirmed.
Sorry once again.

Best regards,

Josip

Small thumb luisgrangeia

Hi @josipfranjkovic. Thanks for this. No need to apologize :)

Since I have no easy way of replicating this I'll need more information so we can check our logs and find the issue. Could you please send me, whenever possibile:

  • Full POST request with all parameters;
  • Time and date of request(s);
  • Bug that you had the 1000$ payment for.

If you can provide us with any of this it will probably help. We'll keep in touch.

Regards,

LG

Small thumb josipfranjkovic

Hi,

The bug I got 1000$ for is this one:
https://cobalt.io/[redacted]
Unfortunately, I am not able to provide a full POST request because I do not have logs of my own requests, but I believe you should find 5 POST request in quick succession between this report's time and half an hour back. The IP was most likely [redacted].
These POST requests were made to https://cobalt.io/invoices/inv_$id, and I believe $id should be li_IFhypyn or IFhypyn but I am not sure. I remember there being a CSRF-token, an invoice id same as $id, and the payment type parameter. Cannot remember their names.
Here is the blockchain info about my address at which I hold the BTC I got:
https://blockchain.info/address/[redacted]
Perhaps the first time-stamp from there can help you find the requests.
Also, if you can reward this bug with $0.1 and set the payout to ready I can try to re-create the race conditions and send you full detailed logs?

Best regards,

Josip

P.S sorry for the crappy initial report.

Small thumb josipfranjkovic

Hi,

any luck reproducing/fixing this?

Best regards,

Josip

Small thumb christian 476f0462fdf9d17d0657ae43c415940dbb0827289ab0fc79ca4843905a30dda2

@josipfranjkovic Thanks your report, great work! Sorry for the late response.

We found your requests in our logs and can confirm the race condition. We made some big changes to our payment systems this Thursday, so it could be that this had some impact. We have $3k withdraw limit, above which it requires manual approval, and had actually planned to make all withdrawals having a manual approval step, but seems you beat us to it.

I've sent you an email with our bitcoin address.

We might create a test case, so you could try the attack out again – we'll get back to you on that.

Small thumb josipfranjkovic

Hi @Christian ,

Do you want me to return 2k$ or 2/3 of BTC I got? Since BTC's price has gone up I would return ~2260 USD.

EDIT: also, I would like to try this on the PayPal withdrawal method. Should I create 2 bogus reports to https://cobalt.io/test-bounty, one with BTC and one PayPal reward?
Best regards,

Josip

Small thumb luisgrangeia

@josipfranjkovic Congrats on this find, it is definitely a high impact issue!

If you don't mind, I'll wait before closing this report because I'd like to keep this open until @Christian replies for further testing.

Small thumb josipfranjkovic

Hey @luisgrangeia and @Christian,

Thanks! I am just really glad this did not go the way that includes lawyers because of how I preformed my tests. I will gladly do any additional testing you need.

I would also like to keep this report private; [redacted]

Best regards,

Josip

Christian changed the title from URGENT - race condition when withdrawing allows me to withdraw more than I am allowed to to Race condition when withdrawing bitcoin allows me to withdraw more than I am allowed to

Small thumb luisgrangeia

@josipfranjkovic As discussed, we decided to award you a high reward for this issue. Thanks again for the catch.

We have changed our payout processing workflow, so this issue should be completely solved by now. Let me know if you still find anything.

Regarding public disclosure, I really hope you'll reconsider. It is important to disclose bugs like this after they're fixed so other companies benefit from these indirectly. It's also important for us, as it shows that bug bounty programs work and reward good and high impact finds.

Best regards,

LG

luisgrangeia changed state to Valid and granted $1500 bounty


Christian requested disclosure

josipfranjkovic accepted disclosure