Coinbase Initiates $5M Bug Bounty Program On Cantina For On-Chain Products And Base Smart Contracts

In Brief

Coinbase has launched a $5 million bug bounty program on the Cantina platform focused on securing its active onchain products and Base smart contracts through structured, reproducible assessments by expert researchers.

Cryptocurrency exchange Coinbase has introduced a $5 million bug bounty program through the Web3 security platform Cantina, focusing exclusively on the security of its onchain products and Base’s smart contracts. This initiative aims to establish a new standard for securing global Web3 infrastructures by inviting expert security researchers to engage with Coinbase’s critical systems through a verified and structured process on Cantina

The program reflects Coinbase’s commitment to institutional-grade security practices across its engineering and security operations. Researchers submitting findings will have their reports reviewed by Web3 security professionals who prioritize both the clarity and severity of vulnerabilities to ensure efficient identification and resolution of high-impact issues.

This program expands on Coinbase’s ongoing collaboration with Cantina, which has previously involved structured security assessments of vital protocol components such as Verified Pools, Fault Proof Audits, Nitro Validator, WebAuthn modules, ERC-6492 validation logic, and SpendPermissionManager. These prior engagements were conducted with defined scopes, comprehensive technical documentation, and production context, providing a solid foundation for the launch of this large-scale public bug bounty initiative.

Coinbase Bug Bounty Targets Mainnet-Deployed Smart Contracts

The program operates exclusively through Cantina’s platform, enabling researchers to perform organized and reproducible assessments within defined scope areas. The submission process is designed to minimize obstacles, ensuring that all findings are evaluated with appropriate context and consistency. Compensation is awarded based on the reproducibility of the issue and its technical importance, with reward levels reflecting the severity of the vulnerability and its impact on live production environments.

The initiative specifically targets the onchain elements of Coinbase’s products, focusing on smart contracts that meet certain criteria: they must be deployed on a mainnet by Coinbase and actively utilized by a Coinbase product or serve a production purpose, excluding proof-of-concept contracts. The program is structured into two distinct tiers. Coinbase reserves the right, at its sole discretion, to issue rewards for vulnerabilities discovered in contracts outside the defined scope if the findings are deemed valuable. Any security issues related to off-chain components should continue to be reported through Coinbase’s existing HackerOne bug bounty program.