The white-hat hacker responsible for discovering a crisis-level flaw in Coinbase API said the $250K bounty was not “too low.”
On Feb. 11, two days before the Super Bowl and Coinbase’s $14 million color-changing QR code advert, an engineer was desperately trying to reach out to Coinbase management and the development team.
Anyone here can get me a direct line with someone at @coinbase , preferably management or dev team, possibly @brian_armstrong himself?
I’m submitting a hacker1 report but I’m afraid this can’t wait. Can’t say more either, this is potentially market-nuking.
— Tree of Alpha (@Tree_of_Alpha) February 11, 2022
Tree of Alpha had discovered “a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them.” The flaw in the code had the potential to “nuke” the market.
Commenting on the flaw, Tree of Alpha told Cointelegraph that the “vulnerability, itself, was indeed worrying,” sharing that “some oversight on both the dev team and the QA/testing team was needed to let this happen.”
“While the advanced trading product was not available for everyone and was still in beta testing, a significant number of users could have used the exploit.”
However, thanks to the hacker’s quick reactions and an “overwhelming community response,” the danger was averted and Coinbase avoided a “possible crisis.”
As is common with white hat hacking, a bounty was duly awarded. Coinbase has initially awarded $250,000–an insignificant sum for the Silicon Valley-born unicorn. Twitter was quick to judge the quarter-million sum as a “bear market” bounty, particularly considering the scale of the hack and that Coinbase executives earn that figure annually.
Coinbase executive salaries according to Comparably. Source: Comparably
Tree of Alpha told Cointelegraph that the amount was “not too low to be insulting.”
“While a higher bounty might have been wise to deter more grey hats from exploiting vulnerabilities, it is common in the crypto sphere to lose touch with the value of money. For most working human beings, $250K is a very decent sum.”
Related: MakerDAO launches biggest ever bug bounty with $10M reward
Ultimately, the events shone a light on the importance of white hat hacking for a relatively nascent industry. The U.S. State Department recently announced it would offer up to $10 million in crypto rewards to white hat hackers; however, Tree of Alpha affirmed that “white hat hacking is crucial yet criminally overlooked by companies.”
In a word to the wise, they concluded:
“Companies won’t hesitate to spend tens of millions on marketing but won’t spend a fraction of it on making sure there is something left to market.”
Coinbase CEO Brian Armstrong was among the first to thank the white-hat hacker for saving his company:
.@Tree_of_Alpha you’re awesome – a big thank you for working with our team
love how the crypto community helps each other out!
— Brian Armstrong – barmstrong.eth (@brian_armstrong) February 11, 2022