Popular US-based cryptocurrency exchange Coinbase has recently paid a hacker $30,000 for discovering a critical vulnerability on its platform that, according to a company representative, has already been fixed.
The flaw was revealed earlier this week on Coinbase’s vulnerability disclosure program on HackerOne, a website that sees various firms pay white hat hackers for help patching security vulnerabilities. Speaking to the Hard Fork, a Coinbase spokesperson reportedly revealed the vulnerability has been fixed.
While details about the vulnerability haven’t been disclosed, the high $30,000 bounty reveals it was a severe one that could’ve had severe consequences. The US-based cryptocurrency exchange has a four-tier reward system, that pays between $200 and $50,000 depending o the vulnerability’s severity.
Coinbase determines severity based on impact and exploitability. For a bug to be critical, it must allow hackers to “read or modify sensitive data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.”
The cryptocurrency exchange paid the hacker shortly after it launched an option for Coinbase Wallet users to backup an encrypted copy of their private keys to the cloud (iCloud or Google Drive, depending on users’ operating systems).
🔐☁️ Introducing Cloud Backup for your private keys on Coinbase Wallet!— Coinbase Wallet (@CoinbaseWallet) February 12, 2019
Backup to your personal iCloud or Google Drive, and explore the open financial system with peace of mind. https://t.co/6uaHT8AZky
Since the recently found – and allegedly fixed – bug was deemed critical, it likely allows hackers to “unilaterally” exploit it without finding “significant roadblocks or special conditions” outside their controls. While this was the only large bounty awarded, Coinbase handed out several smaller one this week.
Bug Bounties In Crypto
Bug bounties in the cryptocurrency space are nothing new. Last year, Coinbase notably awarded a hacker $10,000 for finding a bug that allowed users to reward themselves with unlimited Ethereum.
In fact, as CryptoGlobe covered, cryptocurrency-related bug bounties have been profitable for security researchers looking to help firms within the industry, as last year they netted them nearly $900,000.
Available data shows that this year Block.one, the company behind EOS, has already handed out over $80,000 in bug bounties to hackers who found vulnerabilities.