Users of popular online stock trading app Robinhood Market Inc. have allegedly found a glitch that allows them to trade stocks with excess borrowed funds.

Dubbed the “infinite money cheat code,” the bug was first detailed on Reddit. Users boasted of how they were using it to fund market positions. One person claimed that he had a $1 million position funded by a $4,000 deposit while another claimed to have accessed $50,000 for free.

According to Bloomberg, the cheat is due to a bug that occurs when users of Robinhood Gold sell covered calls using money borrowed from Robinhood’s margin lending service. The bug causes Robinhood incorrectly to add the value of those calls to the user’s capital, meaning that the more a user borrows, the more money Robinhood provides them.

Robinhood has confirmed the issue, saying that it was “aware of the isolated situations and communicating directly with customers.”

While users of r/WallStreetBets where the exploit first emerged are gloating over both the find and subsequent media coverage, those exploiting the bug may be in legal trouble going forward.

“If there’s an element of deceit, that you got this by exploiting a loophole in a system, I can see how that could become a securities fraud case,” Donald Langevoort, a law professor at Georgetown University, told Bloomberg. “The other possibility is just the basic common law of restitution. If you take advantage of someone’s mistake to line your own pockets, you need to pay them back.”

The exploit appears to take advantage of a coding issue. Jonathan Knudsen, senior security strategist at electronic design automation company Synopsys Inc., told SiliconANGLE that software vulnerabilities are like secrets in a soap opera: Sooner or later, somebody is going to find them and then everybody will know.

“The good news is that using a proactive, security-forward approach, you can suss out vulnerabilities during your product development,” Knudsen said. “When you find vulnerabilities, you get to fix them before taking your product live. This means you have less risk of someone else finding vulnerabilities, which can be embarrassing, expensive, or catastrophic.”

Even with the best secure development process in place, vulnerabilities can still happen. “Risk is reduced but never eliminated,” he said. “You can be sure that Robinhood is revising its development process right now to make sure no other vulnerabilities like this slip through the cracks.”

Photo: Robinhood