POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

Bug reported by Gabriel Ferreira was disclosed at May 20, 2026, 9:26 am   |   Improper Authentication - Generic

A vulnerability was discovered in the CoinMate API where the POST /api/bitcoinWithdrawalFees endpoint was accessible without authentication, despite being documented as a private endpoint. The endpoint returned real-time Bitcoin withdrawal fee data without requiring any authentication, unlike other private endpoints which correctly rejected unauthenticated requests. The root cause was determined to be a misconfiguration in the authentication middleware that allowed the request to bypass HMAC-SHA256 signature verification. This inconsistency in authentication enforcement indicated a potential configuration error that could affect other recently added or refactored endpoints.

HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

Bug reported by Gabriel Ferreira was disclosed at May 20, 2026, 9:26 am   |   Missing Required Cryptographic Step

A vulnerability was discovered in the HMAC signature verification process of the CoinMate API. The signature was calculated using only the nonce, client ID, and public key, omitting the HTTP endpoint and request payload. This allowed an attacker to hijack a valid signature intended for a read-only action and use it to execute a malicious action on a different endpoint, bypassing the cryptographic constraints.