One of the hackers says the bug that he discovered could have been used by malicious actors to steal assets.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
Two ethical hackers who uncovered critical security vulnerabilities in OpenSea's marketplace have been given a $100,000 bounty each.
Corben Leo, the chief marketing officer of Zellic, flagged an issue he had uncovered to HackerOne.
The flaw was fixed within three hours — and because it was a critical vulnerability, he was given a six-figure sum as a thank you. He tweeted:
"I'm not trying to brag, I never share bounty amounts — but I'm literally shaking right now and wanted to share my amazement. I'm super duper lucky and blessed to have found this."
An anonymous hacker called Nix had a similar experience a few days earlier — and said they were "impressed by OpenSea's commitment to security," tweeting:
"I discovered a vulnerability on OpenSea and reported it through HackerOne. In less than 12 hours they had triaged, reproduced, patched and awarded me a sizable bounty!"
Speaking to The Block, Leo explained that the critical bug he uncovered could have been used by malicious actors to steal assets.
Meanwhile, OpenSea suggested that the bounty program makes business sense — as it incentivizes people to report flaws rather than exploit them. A spokesperson told the outlet:
"We're pleased to see the community's engagement with this program, and even more excited that our average response and patch times have gotten much faster since the program’s launch in October 2021."
According to HackerOne, $500 is typically paid for a low-risk bug — rising to $6,000 for a medium bug, $20,000 for high-risk, and $100,000 for one that's critical to OpenSea.io.
Data suggests that more than $1.65 million in bounties has been paid so far — and of this, $475,000 has been awarded in the past 90 days.
White hat hacking comes with strict rules — as a hacker's tests can't affect the operation of a business in any way. Social engineering attacks (such as phishing) are also prohibited.
Bounties are common across the crypto industry, but some businesses have been accused of offering "insulting" rewards to those who uncover incredibly damaging vulnerabilities.
Earlier this year, Tree of Alpha uncovered a flaw in Coinbase's Advanced Trading tool that would have allowed a malicious actor to sell Bitcoin without owning it — giving them the power to "nuke" the market.
They were subsequently rewarded with $250,000 for their hard work, but some on Crypto Twitter claimed Tree of Alpha should have been given much, much more.