That wouldn't surprise me — A few years ago I reported a vulnerability through their bug bounty program that allowed "mandatory" 2FA for crypto withdrawals to be bypassed.

They paid a pittance and permanently buried the report even though its release wouldn't have posed a risk anymore.