Introduction
Coinbase and Cantina have launched a new $5 million bug bounty program focused entirely on Coinbase’s onchain products. The official announcement was followed by a live session hosted by Cantina, featuring Anmol Malhotra (Head of Product and Blockchain Security, Coinbase), Shashank Agrawal (Head of Security for Base), and Hari Mulackal (CEO and Co-Founder of Cantina).
This initiative marks a strategic step forward in reinforcing real-world resilience across systems that serve institutions and users alike. The space provided insights into why the program was launched, what sets it apart, and what the teams hope to see from the broader security research community. Let’s dive in.
Why Launch a New Onchain Bug Bounty Program?
Anmol Malhotra opened the conversation with a clear intent:
We value the research community and have been working with them over a decade now and this is just an extension of that commitment. Through our bug bounty program hosted on HackerOne, hundreds of researchers have engaged with our products and received over $2.3M in bounties. It is rated as a top response efficiency program.
As the pace of onchain development accelerates at Coinbase and as the global economy comes onchain, we believe it is important to have the right set of researchers work with us to protect these assets. So we are launching a new bug bounty program to connect with the broader onchain security research community and to further strengthen our security posture.
The new program exclusively focuses on onchain vulnerabilities and all smart contracts deployed by Coinbase in connection with any product are in scope.
Why Cantina?
Coinbase selected Cantina as the exclusive platform partner for the new initiative. According to Anmol:
Coinbase and Cantina have been strong partners for several years in the onchain security space. Through their marketplace, Cantina has found great researchers for flexible and timely audits.
They have complemented our internal audits well – everything goes through one or more internal audits before it goes external. On occasions, their researchers and ours have found interesting bugs together.”
Scope of the Program
Shashank Agrawal outlined the structured scope, divided into Tier 0 and Tier 1 categories:
- Tier 0: Base, cbBTC, cbETH
- Tier 1: Covering the remainder of Coinbase’s onchain products: wallets, identity, payments, NFTs, integrations, developer-facing contracts, and others
This is about covering the surface area that Coinbase puts onchain, across a wide range of products. Researchers are helping secure infrastructure with real-world usage and responsibility.
What Makes This Program Unique?
Anmol and Shashank pointed to three core differentiators:
- Large diversity of onchain products. Most bounties are for a specific onchain app.
- State of the art products that are used by thousands or millions of people.
- You are helping secure the products that will bring the next billion people onchain.
Measuring Success
When asked how Coinbase defines success, Anmol emphasized:
- Cultivating long-term collaboration with contributors who demonstrate clarity and precision.
- Driving submissions that lead to measurable improvements in how Coinbase’s onchain systems operate.
What Kind of Researcher Engagement Is Expected?
Shashank responded:
- We’re looking forward to consistent engagement from researchers who care about the same standards we hold ourselves to.
- We’re always looking for ways to improve and encourage innovative approaches to security.
Security and the Future of Onchain Development
Q: What else is pivotal in the next stage of onchain security?
“Security maturity will need to mirror protocol complexity. Continuous engagement with domain experts, structured feedback loops, and proactive integration of findings will be central to long-term resilience.” - Shashank Agrawal (shared as a follow-up reflection post-session)
Community Questions: Coinbase’s Reflections
- How should a $5M bounty reshape the standard for vulnerability disclosures in Web3?
A: Coinbase’s bounty offers researchers the opportunity and the right incentives to find bugs in a large diverse set of onchain products, something that no other program offers.
- What guided the decision to include Base’s smart contracts and onchain products specifically?
A: Base is one of the top blockchains in the world, securing over $13B in total value. Security of Base has always been an important priority for us.
- What does a productive researcher engagement look like from Coinbase’s perspective?
A: High quality submissions with detailed technical description, clear statement of impact, and a proof of concept. Healthy discussions with Cantina and Coinbase post-submission.
Watch the Full Session
The full Coinbase × Cantina $5M Bug Bounty live session is now available to watch.
Final Thoughts
This program represents a long-term investment in system resilience. Coinbase is opening its onchain products to rigorous external scrutiny, and Cantina is providing the structure to facilitate high-signal discovery. It reflects a shared belief that real trust is built through transparency, expertise, and engagement at scale.
The program is now live on Cantina. Researchers ready to contribute can access scope details and begin submissions today. Start here.