Also because nobody actively exploited them! You're using the word "detected" to mean "discovered", which nobody working in the field would ever do.

detected: WAF caught or detected the attack and raised an alert, post-exploitation

discovered: they audited or pentested themself and found out, preemptively

I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.