The flaw was logged on February 12 via Coinbase‘s vulnerability disclosure program on HackerOne. A Coinbase spokesperson confirmed to Hard Fork the vulnerability has since been fixed, but could not provide any further details about the issue in question.
The vulnerability report is closed to the public, but considering the high bounty of $30,000, it seems the flaw was rather severe.
Currently, Coinbase has a four-tier reward system based on the impact of the bug: $200 for low, $2,000 for medium, $15,000 for high, and $50,000 for critical impact.
“In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers,” the company’s bounty terms stipulate. “Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: impact and exploitability.”
To qualify for a critical impact bounty, a vulnerability must allow attackers to “read or modify sensitive data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.” As far as critical exploitability goes, Coinbase says attackers must be able to “unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.”
For the record, the exchange awarded three more bounties this week, but all of those were marked as low-impact attack vectors.
Blockchain companies can’t catch a break
Despite boasting heightened security capabilities, blockchain and cryptocurrency technologies aren’t immune to bugs.
In a similar case, last year Coinbase gave a $10,000 bounty to researchers who found a vulnerability in its platform that made it possible to reward yourself with unlimited amounts of Ethereum.
Coinbase is hardly the only company dealing with kinks in its system though. Data shared with Hard Fork showed that hackers pocketed $878,000 from blockchain-related bug bounties in 2018.
From the looks of it, the trend is here to stay. Indeed, EOS developer Block.one has already dished out over $80,000 in bug bounties in 2019 alone.
Published February 13, 2019 — 14:33 UTC