Coinbase

@coinbase

Live

Maximum reward

$5,000,000

Severity

Max. Reward

Critical

$5,000,000

High

$500,000

Medium

$50,000

Low

$5,000

Findings submitted

Start date

8 Jul 2025

Please sign in as a researcher to join the bounty.

Severity

Min and Max Reward

Critical

$500,000 to $5,000,000

High

$50,000 to $500,000

Medium

$5,000 to $50,000

Low

Up to $5,000

We have three products in Tier 0: Base, cbBTC, and cbETH.

Asset	Description	Scope
Base	An L2 that rolls up to Ethereum (L1).	L2 & L1 mainnet addresses as specified here
cbBTC	Wrapped BTC, backed 1:1 by Coinbase.	Contracts on Base, Ethereum, Solana, and Arbitrum — and any other networks we may add in the future — as specified here
cbETH	Wrapped staked ETH that represents ETH staked through Coinbase.	Contracts on Ethereum, Arbitrum, Optimism, Polygon, and Base — and any other networks we may add in the future — as specified here

Asset	Description
Base	https://docs.base.org/base-chain/network-information/base-contracts
cbBTC	https://www.coinbase.com/blog/coinbase-wrapped-btc-cbbtc-is-now-live
cbETH	https://www.coinbase.com/price/coinbase-wrapped-staked-eth

The following types of contracts will not be in scope:

Issues found in previous security reviews
Third-party contracts not under direct project control
Issues with non-standard ERC20 tokens (unless explicitly supported by the project)
Rounding errors with no significant impact
User errors requiring obviously incorrect parameter inputs
Vulnerabilities that only manifest during extreme market conditions
Incorrect data from third-party oracles
- Note: Oracle manipulation and flash loan attacks are still in scope
Theoretical exploits without practical proof-of-concept
Issues requiring access to leaked keys or credentials
Issues arising from Sybil attacks
Centralization risks
Basic economic and governance attacks (such as 51% attacks)
Protocol design choices
Gas optimization issues and high gas costs
Best practice suggestions
Submissions generated using ChatGPT or other LLM tools