For three weeks Overstock customers were able to make huge Bitcoin (BTC) profits due to a mixup on the site between BTC and BCH via Coinbase payment integration, independent researcher revealed.
Online retail giant Overstock said in a statement to a customer Jan. 9 that it is “aware” of a significant glitch in its payment system, which let customers pay with Bitcoin (BTC) and Bitcoin Cash (BCH) interchangeably, accidentally allowing for a huge potential discount.
In what online publication The Verge described as “a lesson in how not to offer cryptocurrency payments,” Overstock, which has accepted Bitcoin since 2014, inadvertently provided BCH holders with a golden arbitrage opportunity.
In addition to charging either BTC or BCH at a rate of 1:1 for the same item, any refund requests were paid exclusively in BTC, resulting in the potential for huge profits for anyone paying in BCH.
The glitch was first publicly reported by KrebsOnSecurity’s Brian Krebs on Jan. 9. Krebs reportedly bought solar lights from Overstock worth $78.27, paying for them in Bitcoin Cash. But overstock charged him Bitcoin Cash at the same rate as Bitcoin, meaning he paid only $12.02 for the lights. He then requested a refund and was returned the payment in Bitcoin, worth $77.80 at the time.
Following Kreb’s report of the bug, Overstock wrote him a response that laid the blame for the glitch on their payment integration partner, Coinbase, and confirmed they had since fixed the error:
“We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher [Krebs]. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue.”
Coinbase in turn excused the error, telling Krebs that it was a problem on Overstock’s side, but that the companies worked together to solve it:
“The issue was caused by the merchant partner improperly using the return values in our merchant integration API. No other Coinbase customer had this problem. After being made aware of an issue in our joint refund processing code on Saturday, Coinbase and Overstock worked together to deploy a fix within hours. To our knowledge, a very small number of transactions were impacted by this issue.”
Krebs summarized the potential impact of the situation saying:
“Consider the implications here: A dishonest customer could have used this bug to make ridiculous sums of Bitcoin in a very short period of time.”
According to Krebs, Overstock told him to keep the ‘profit’ he made in the process of discovering and testing the glitch. He then reportedly donated the extra money to a non-profit library.
Coinbase told Krebs the situation had existed on the Overstock website for three weeks prior to his finding and report.