Coinbase Merchant Error Causes Major Exploit on Overstock

Recently, it was made public that retail giant Overstock.com had fallen victim to a huge exploit involving Coinbase’s merchant API. This is another issue on top of many others that customers and businesses have made apparent affecting the leading Bitcoin exchange.

On January 5, independent researchers discovered a massive exploit in Overstock’s cryptocurrency payment gateway, which is offered through Coinbase’s merchant functionality. This exploit allowed Overstock customers to purchase items with Bitcoin Cash (BCH) instead of Bitcoin, which effectively resulted in an almost 85% discount.

The even greater issue that emerged was the ability to return purchases made with the discounted BCH and receive Bitcoin in return. Malicious users could pay for an order in Bitcoin Cash and be refunded an equal amount of Bitcoin. This exploit emerged when Coinbase first implemented Bitcoin Cash support on December 19, and existed for almost three weeks.

Coinbase claims that the bug emerged due to improper implementation of its merchant API by Overstock. According to the exchange, Overstock was the only partner out of dozens of merchants that experienced this issue. Furthermore, Coinbase stated that it worked alongside Overstock to solve the problem.

However, Overstock’s statement contradicted Coinbase, asserting that the issue was entirely the fault of the exchange. The online retailer asserted that it had changed no code on its website, and that only Coinbase’s merchant API had been tweaked.

It is unclear to what extent this bug was exploited, if at all. However, if just one malicious user came across this bug during the time it existed, they would have the potential to steal hundreds of thousands or even millions of dollars worth of Bitcoin from the retailer.

Overstock.com represents one of the first major companies to support Bitcoin. Since 2014, it has accepted cryptocurrency as payment for any of its items. Additionally, Overstock accepts Ethereum, Litecoin, Monero, NEM, and Dash. Overstock’s CEO has been outspoken about cryptocurrency throughout this time period, and has even considered liquidating the retail portion of the business to fund blockchain-based ventures.

Since first accepting Bitcoin in 2014, Overstock has held onto a portion of its Bitcoin profits, seeing the coin rise from just a few hundred dollars to a high of US$20,000 during this time period. As an outspoken Bitcoin supporter, Overstock’s stock has also performed incredibly in conjunction with the ongoing cryptocurrency surge.