Asset security review

How Coinbase thinks about security

To safeguard users, Coinbase performs a thorough security review of each token before it can be listed. The core goal of Coinbase’s framework is to identify and mitigate risks to a digital asset’s custodiability. Custodiability is the capacity to reliably receive, store, and send original or accrued balances of an asset.  

To evaluate custodiability, Coinbase Security focuses on "what can go wrong and what we can do about it." Formally put, these two concepts are called "risks" and "mitigations."  The security evaluation identifies areas of risk that may be unique to an asset. Following the identification of these risks, mitigations are specified that may reduce the asset's risk.

We've provided three examples of risks and mitigations below. Note that implementation of mitigations are sometimes within Coinbase's control, and sometimes are not.

Example Risk

Example Mitigation(s)

Weak Consensus mechanism

Asset Issuer: Modifications to the consensus mechanism

Coinbase: Increase confirmation requirement before crediting deposit

Superuser privileges that may impact user balances

Asset Issuer: Renounce the privileges or otherwise alter asset functionality to prevent superuser access to 3rd party balances

Open vulnerability in the asset’s node software

Asset Issuer: Patch the vulnerability and publish a new release

In situations where an asset may follow an open standard implementation, such as ERC-20, Coinbase specializes our review to streamline the process. In the case of ERC-20s, Coinbase has published specific guidance in this blog post.