If I were a malicious actor with a good way to attack this, I would wait until this was being used in real applications which deal with larger amounts of ETH, and then attack.
Bug bounties aren't aimed at malicious actors, or an attempt to outbid the black market. There's a lot of non malicious people out there who are still competent hackers.