Coinbase

Coinbase

@coinbase
Live

Maximum reward

$5,000,000

Severity

Max. Reward

Critical

$5,000,000

High

$500,000

Medium

$50,000

Low

$5,000

Findings submitted

27

Start date

8 Jul 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Tier 0Tier 1

Severity

Min and Max Reward

Critical

$50,000 to $500,000

High

$5,000 to $50,000

Medium

$500 to $5,000

Low

Up to $500

Tier 1 encapsulates everything that is not in Tier 0. In other words, Tier 1 has mainnet contracts associated with all products not in Tier 0 that are deployed by Coinbase.

Out of scope

Out of scope targets

The following types of contracts will not be in scope:

  • Contracts deployed on testnets and devnets
  • Contracts deployed on mainnet for testing purposes
  • Contracts deployed on mainnet for internal use
  • Third-party dependencies of any of our contracts
  • Third-party contracts that may be used by Coinbase to provide certain services

Default out of scope

  • Issues found in previous security reviews
  • Third-party contracts not under direct project control
  • Issues with non-standard ERC20 tokens (unless explicitly supported by the project)
  • Rounding errors with no significant impact
  • User errors requiring obviously incorrect parameter inputs
  • Vulnerabilities that only manifest during extreme market conditions
  • Incorrect data from third-party oracles
    • Note: Oracle manipulation and flash loan attacks are still in scope
  • Theoretical exploits without practical proof-of-concept
  • Issues requiring access to leaked keys or credentials
  • Issues arising from Sybil attacks
  • Centralization risks
  • Basic economic and governance attacks (such as 51% attacks)
  • Protocol design choices
  • Gas optimization issues and high gas costs
  • Best practice suggestions
  • Submissions generated using ChatGPT or other LLM tools