OpenSea has paid $200,000 in bounty rewards to two ethical hackers who discovered separate critical vulnerabilities in the NFT marketplace in the last ten days. Each hacker was individually rewarded $100,000.
The first was paid to Corben Leo, a security expert and chief marketing officer at security firm Zellic, who said that he received $100,000 on Monday for having discovered a critical OpenSea vulnerability via the bug bounty platform HackerOne.
Had it not been found, the critical bug could have been potentially exploited by malicious hackers to steal assets, Leo told The Block. “It was a vulnerability affecting their web services. It would’ve allowed an attacker to compromise OpenSea’s infrastructure,” he said.
Another anonymous whitehat hacker, who goes by Nix, told The Block that OpenSea also rewarded them $100,000 for reporting another critical vulnerability on 19 September, though Nix did not provide additional details.
“The vulnerability report and any details around it are confidential,” Nix said. This bug was also flagged on the HackerOne platform.
A spokesperson for OpenSea confirmed to The Block that these bounties were genuine, adding that respective patches to the vulnerabilities have been issued. They said that the firm was satisfied in seeing the bounty program with HackerOne working as intended.
“We’re pleased to see the community’s engagement with this program, and even more excited that our average response and patch times have gotten much faster since the program’s launch in October 2021,” the spokesperson said.
OpenSea is the largest NFT marketplace on Ethereum in terms of daily volume. But the platform has previously faced user interface issues and security vulnerabilities that have resulted in loss of user assets.
To deal with these issues, OpenSea entered a program with HackerOne, a crowdfunded ethical hacking platform designed to help companies discover and fix basic vulnerabilities before they can be misused.
As part of the program, OpenSea offers bounty rewards in tiers according to how serious the threat is. For instance, a “low” level smart contract bug can earn a whitehat up to $6,000, while a “critical” one can lead to a prize of up to $100,000 — the exact amount that was awarded in the two instances. The bug bounty program from OpenSea is still live on HackerOne.