foreword
A few years ago, a cyber researcher decided to examine the Coinbase app. They watched all the traffic between their browser and the server, mapping out the API calls behind everyday functions such as checking prices and executing trades. Like a good hacker, they ditched the web interface and started communicating directly with the API, where they could be a lot more creative with requests. (The UI is far too controlled and restrictive.)
This particular researcher had already purchased some Ethereum, so they crafted a request to sell their Ethereum via the API but told the server to sell it as Bitcoin instead. They pressed Enter and waited for the error message to return—but it never came. What they received instead was a trade confirmation. Their $1,060 in Ethereum successfully sold as more than $43,000 in Bitcoin. To Coinbase’s credit, the issue was fixed within hours, and the researcher was rewarded with the company’s largest-ever bug bounty: $250,000.