There is a discussion on that thread about the bounty being rather small compared to the damage it could have caused the crypto market and/or Coinbase’s stock/reputation. It’s low relative value is even being cited as a risk to future bugs not being responsibly disclosed.
It is however important to consider the technical complexity, effort, and exploitability when valuing an exploit. This was a very, VERY simple bug to find and with KYC very obvious and unlikely truly monetizable without consequences if exploited (unlike say getting access to the private key of a hot wallet). The biggest damage would have been reputational (though a rational person should consider the fact this kind of missing condition check bug made it to production a major issue already). The market would have recovered from whatever flash crash ensued and the attacker wouldn’t be likely to keep their winnings.
Kudos to tree_of_alpha for being the first to look at the API, spotting this, and reporting responsibly - $250k for what appears to be under an hour of work that was driven by curiosity is not a bad deal at all. I know Brian Armstrong frequents HN so it will indeed be interesting to get his take on this as well if he was involved in it.
It is however important to consider the technical complexity, effort, and exploitability when valuing an exploit. This was a very, VERY simple bug to find and with KYC very obvious and unlikely truly monetizable without consequences if exploited (unlike say getting access to the private key of a hot wallet). The biggest damage would have been reputational (though a rational person should consider the fact this kind of missing condition check bug made it to production a major issue already). The market would have recovered from whatever flash crash ensued and the attacker wouldn’t be likely to keep their winnings.
Kudos to tree_of_alpha for being the first to look at the API, spotting this, and reporting responsibly - $250k for what appears to be under an hour of work that was driven by curiosity is not a bad deal at all. I know Brian Armstrong frequents HN so it will indeed be interesting to get his take on this as well if he was involved in it.