Coinbase awarded a $500k bug bounty

Original Article ↗ Hacker News Discussion ↗

Scope and size of the Coinbase bounty

  • Coinbase paid a $500k undisclosed bounty via HackerOne to security firm CertiK.
  • Commenters note this is among the largest disclosed HackerOne payouts, but not the absolute largest in crypto.
  • Other cited crypto bounties range from ~$250k to $2M+, including via other platforms (e.g., Immunefi).
  • Total Coinbase bounties on H1 are shown around $2M, which some see as reassuring; others note many companies report $0 publicly.

Who/what is CertiK?

  • Described as a “web3 / smart contract audit” and security company, widely used in the blockchain industry.
  • Co‑founders are linked to major universities; company has raised substantial funding and is large by crypto standards.

CertiK’s reputation and Kraken incident

  • Several commenters say “CertiK audit” has become a meme because projects they audited later failed or were exploited.
  • A recent incident is discussed where CertiK found a critical bug at a major exchange:
    • Instead of straightforward disclosure, they allegedly exploited it to drain ~$3M, swapped funds, and even touched sanctioned entities.
    • They later reported the bug for a $2M bounty without initially disclosing the drained funds, then resisted returning them, framing legal threats as persecution, before eventually promising to return the money.
  • Some call this outright black‑hat behavior; others frame it as highlighting the difficulty of trust in crypto auditing.

Bug bounty platforms (HackerOne/Bugcrowd) experiences

  • Multiple reports of frustration with H1/Bugcrowd triage:
    • Denial-of-service and similar issues often dismissed, sometimes contrary to reporters’ expectations.
    • Triage staff are seen as junior, overloaded, and sometimes unable to recognize serious issues.
    • Companies use these platforms partly as a filter and shield from dealing with “the crazies,” which can also filter out valuable reports.

Crypto security, trust, and regulation

  • Long debate about whether crypto’s “trustless” ideal works in practice when users rely on centralized exchanges, auditors, and ETFs.
  • Some argue crypto offers unique sovereignty and a check on abusive governments; others respond that existing financial systems, with regulation, recourse, and insurance, are more trustworthy.
  • Views diverge on KYC/AML:
    • One side sees it as overbearing regulation blocking crypto’s potential as frictionless money.
    • The other sees it as a necessary tool against crime and terror financing.

Is hunting bugs in crypto worth it?

  • Some encourage crypto skeptics to exploit high bounties for profit.
  • Others question the expected value: large payouts are rare, and some researchers doubt firms will honor “up to $X million” promises.