Skip to main content

Retailer Overstock mixed up bitcoin and bitcoin cash, letting customers buy items at a steep discount

Retailer Overstock mixed up bitcoin and bitcoin cash, letting customers buy items at a steep discount

/

A lesson on how not to offer cryptocurrency payments

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Bitcoin
Photo by Mehmet Ali Ozcan/Anadolu Agency/Getty Images

A serious payment glitch on retail website Overstock.com, which sells everything from furniture to diamond rings, allowed customers to pay with either bitcoin or bitcoin cash interchangeably. It’s a problem because the two cryptocurrencies, which split off from one another last August, have wildly different valuations.

According to CoinMarketCap, one bitcoin is currently worth $13,880, while a single unit of bitcoin cash is valued at $2,355, meaning those who paid with bitcoin cash could buy an item for a fraction of the asking price. Worse still, if a customer paid in bitcoin cash and wanted a refund, Overstock’s system would refund the customer in bitcoin, giving the user more money than they initially paid. It’s not clear how many customers may have taken advantage of this error.

The glitch was first reported by independent journalist Brian Krebs of KrebsOnSecurity. When Krebs purchased solar lights worth $78.27 from the site, Overstock instructed him to send 0.00475574 in bitcoin to their address. Instead of sending bitcoins, Krebs sent 0.00475574 in bitcoin cash, which Overstock accepted. This meant he paid only $12.02 for the lights. He requested a refund, which Overstock gave back in bitcoin worth $77.80 and not bitcoin cash. “A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time,” Krebs wrote.

In a statement to Krebs, Overstock said:

“We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue. We have since confirmed that the issue described in the finding has been resolved, and the cryptocurrency payment option has been re-enabled.”

Coinbase said the issue was “caused by the merchant partner improperly using the return values in our merchant integration API,” and noted that no other Coinbase customer had this problem. Bitcoin experienced a meteoric rise in 2017, rocketing to valuations of more than $20,000 after starting the year at $800, though it remains extremely volatile.