The famous exchange Coinbase has just paid a premium of 30,000 dollars to a user that discovered a bug in their system.
A “critical vulnerability” was present in their systems: a Coinbase spokesman confirmed that the bug had been fixed, but without providing further details on the exact nature of the bug.
The bug was reported on February 12 on the bounty program of Coinbase on HackerOne.
The only information available at the moment is the money paid to the discoverer: $30,000 reward that would suggest that the bug was a serious threat to the system.
Coinbase offers rewards to discoverers of their vulnerabilities based on their severity: $200 for low-risk problems, $2,000 for the average, $15,000 for the high and $50,000 for critical levels. The premium paid recently would be halfway between high and critical risk.
To be defined as “critical impact” a vulnerability must allow the attacker to ’read or modify sensitive data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way“, and the attacker must be able to ‘unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control’.
This is not the first time that Coinbase has recognised bugs reported through its bounty program, but these have been of a low-risk vulnerability, and prizes awarded were only of a few hundred dollars. The $30,000 prize is therefore rather unusual, as well as very significant.
Last year, for example, a $10,000 prize was awarded to users who found out how to credit themselves with unlimited amounts of Ethereum.