Coinbase has launched a $5 million bug bounty program hosted on the Cantina platform, targeting vulnerabilities in its on-chain products and Base network smart contracts. This initiative—one of the largest Web3 security programs to date—offers rewards scaled by vulnerability severity, with submissions evaluated for reproducibility and technical impact. The bounty covers critical components like Base's Verified Pools, Fault-Proof Audits, Nitro Validator, WebAuthn modules, and ERC-6492 validation logic.
The move follows Base's rapid institutional adoption, highlighted by JPMorgan's deployment of its JPMD digital deposit token on the network, leveraging Base's sub-second settlement and Security Council governance for institutional compliance. Additionally, Shopify integrated USDC payments via Base across 34 countries, utilizing the network's Commerce Payment Protocol for sub-$0.01 transaction fees and 200-millisecond cross-border settlements.
This security push comes amid heightened risks, including a recent Coinbase data breach affecting 70,000 users, where overseas support staff leaked personal data—prompting a $20 million matching reward for attacker information. Coinbase responded by terminating 200+ employees, establishing a U.S.-based support hub, and enhancing insider-threat detection.
Proactively, the bounty aims to preempt threats like re-entrancy attacks, flash loan exploits, and oracle manipulation, reinforcing trust as tokenized assets surge 260% in H1 2025 toward a projected $30 trillion market. Jesse Pollak, Base creator and Coinbase VP, emphasized Base's role in enabling J.P. Morgan's near-instant institutional transfers, while SEC Chairman Paul Atkins declared tokenization 'imminent' for market efficiency.