Coinbase Wallet is insecure - I lost over $50,000 when using this app

A few days ago, all my money, $58,797, in my Coinbase Wallet drained from my wallet without me knowing about it until I opened my wallet.

After some research, I believe there is a big security issue in Coinbase Wallet where a DApp (Decentralized Application) can take control and grant spending permission to an external entity.

My empty wallet 😢

Contacting Coinbase/Wallet Support, which is the only way I know of to reach out to them, was not helpful. All they said is that I may have leaked the recovery phrase, without looking into the details I provided. I found a recent review on Google that describes the situation really well.

A recent user review on Google Play Store.

I am going to describe what happened in details.

My brother-in-law showed me his Coinbase Wallet a few weeks ago where he joined a mining pool and they were giving out Ethereum every day. He is also a Coinbase user so he showed me the Coinbase app to get too.

I was new to cryptos, so I installed both apps from the Google Play Store to my Android phone and started my journey.

Reading about Coinbase Wallet from Google's search results, it is considered one of the most secure wallets out there:

Thus, I chose to install Coinbase Wallet as my first crypto wallet to start mining, with full trust in the app. Here's the version of Coinbase Wallet that I had installed:

Coinbase Wallet version 25.8.398

The "mining pool" I joined is a DApp with the address u2e-free.com. This address is only accessible using a DApp browser inside the wallet (or with a wallet browser extension that I found out later).
The DApp u2e-free.com

The DApp also has a promotional website here: https://u2e-free.vip/

For the first 10 days, the DApp gave out Ethereum as expected and it was a big profit so I added a lot of Tether (USDT) to my wallet. The more USDT I had in my wallet, the higher the yield.
The big "profit" rates (per day)

I was totally confident with Coinbase Wallet's reputation, ignoring the suspicion of the unrealistic high profit. I believed that as long as money stays in my safe Coinbase Wallet and no one else knows my recovery phrase, it cannot be taken out without my approval.

I was wrong. All my money drained from my Coinbase Wallet through this transaction:

https://etherscan.io/tx/0x28fe570dc54f6432db9fd7b7fce68083c081f9eff69c8334a30c9077d22e775c

The transaction where my money was stolen

Reviewing the transaction, there is something that does not look right: the address that interacted with the USDT contract (highlighted in orange) is not the same address with my address (highlighted in yellow). How can another address drained my wallet?

Thus, I looked further and found a transaction that granted Authorized Spender permission in a Smart Contract to an external entity:

https://etherscan.io/tx/0x5d3b28977f2f9b591f705bd24eeb777d50b9c35dd19cc3bf80223377f7072f7f

My Coinbase Wallet was compromised somehow. It granted Approved Spender permission to an external entity to spend unlimited USDT in my wallet. Notice that there is $0 at risk because they took it all.

I looked further into what that entity is doing and discovered that the entity is draining money from a lot of other wallets too.

The "spender" is draining a lot of wallets, including mine (highlighted)

Reviewing one of the addresses where that entity transferred money to, we can have some ideas on the amount of moneys that were taken. This entity has been active since 10/16/2021 and is currently draining people's wallets.

IN/OUT transactions of the entity. The transactions of my brother-in-law and mine are highlighted.

Based on the research I did above, I believe Coinbase Wallet on mobile got compromised due to a major security issue: its DApp browser may execute (malicious) Smart Contract APIs, such as the API granting Authorized Spender permission, without any awareness from users.

A safe Internet browser would inform users if a site is requesting the user's location or if a camera or microphone is going to be used. Users must give approval.

This is not the case for Coinbase Wallet on mobile. I never see any permission request while visiting that malicious DApp telling me that they are granting Approved Spender permission to a different entity.

I believe that U2E-Free app is exploiting that vulnerability in Coinbase Wallet and users are getting all of their money stolen.

I was contacting Coinbase multiple times after my research and provided them with details, questioning them whether it is possible for a DApp to take control of Coinbase Wallet, and here's what they told me:

If you did not authorize any outgoing transactions from your Coinbase Wallet, it means that your recovery phrase has been compromised.

Even though cryptos was new to me, I am really familiar with the Internet and know how to keep secrets safe. Also, it was not my address that made the transfer action, but a different entity. They failed to acknowledge their vulnerability and accused users of leaking the recovery phrase.

Coinbase support information are misleading people to believe that as long as their recovery phrase is safe, no other entity can take money out of their wallet, which is not true. I found the following article dated back in February discussing the issue:

Bad Actors Abusing ERC20 Approval to Steal Your Tokens!

Surprisingly, this issue still exists in Coinbase Wallet.

From the article, you can use https://revoke.cash in your DApp browser to query if there are transactions that granted the Approved Spender permission and revoke them. Coinbase Wallet is not aware of this and has no interface listing these transactions that may drain your wallet.

I believe there are a lot of other victims aside from my brother-in-law and me. I have gathered the following reviews of Coinbase Wallet recently posted on Google Play Store. I believe they are users who are in the same situation as us:

















Comments

Popular posts from this blog

Who is U2E-Free?