Scores/Coinbase

Coinbase

TEMPERED

L2 / Staking / Wallet · Ethereum + Base · $11B+ TVL · 15 contracts

Confidence 77%Z-Factor 0.85Updated 2026-05-13Cross-chain assessedPublic Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

742

BRI Score

3004756508251000

Security Profile

Access Control
53

Economic Soundness
82

Oracle Integrity
68

Compositional Risk
78

Governance
40

Maturity
88

Resilience
42

Supply Chain
85

Cross-Chain Messaging
60

Op Security
92

Cascade Exposure
95

Access Ctrl
53

Economic
82

Oracle
68

Compos.
78

Govern.
40

Maturity
88

Resilience
42

Supply Ch.
85

X-Chain
60

OpSec
92

Cascade
95

Min

Avg

Max

Audit History

OpenZeppelin (cbETH)

2022-08Report →

Sherlock (OP Stack/Bedrock)

2023-01

Coinbase Internal Security

2022-07

Bug Bounty Program

$1,000,000

Max payout on HackerOne

View Program →

Assessment

Institutional-grade OpSec and maturity offset by extreme centralization (D5=40) and 48 validated findings (23C+10H+15M). Highest critical ratio (48%) in tracked portfolio. C-BASENAME-001 (addr persistence through re-registration) further degrades access control.

Dimension Breakdown

How scores work →

Access Control

Weight 18%80% conf

Concerning

Fully centralized admin (Coinbase controls minting, pausing, upgrades)
cbETH has a minter role controlled by single entity
Base sequencer is sole-operator
Smart Wallet upgradeToAndCall is cross-chain replayable
C-BASENAME-001: addr records persist through re-registration (access control gap)

Economic Soundness

Weight 13%82% conf

Strong

cbETH exchange-rate model (not rebasing) is simple and safe
Minimal MEV surface on staking derivative
No flash loan exposure on cbETH
Coinbase controls exchange rate oracle unilaterally

Oracle Integrity

Weight 13%75% conf

Moderate

cbETH exchange rate set by Coinbase internal oracle
No Chainlink, no TWAP, no on-chain verification
Base uses standard OP Stack state root oracle
Centralized oracle is trust assumption, not safety property

Battle-Tested Maturity

Weight 12%88% conf

Strong

cbETH 33 months, Base 26 months, Coinbase Inc 12+ years
Zero exploits on any Coinbase on-chain component
Same FiatToken pattern as USDC (battle-tested)
OP Stack (Bedrock) underpins $50B+ in L2 TVL
Z-factor: 0.848

Governance & Upgradeability

Weight 10%85% conf

Concerning

Single corporate entity (NASDAQ:COIN) controls ALL admin functions
No on-chain governance, no DAO, no token voting, no timelock
Any upgrade can be executed instantly
Mitigating: publicly-traded with SEC reporting obligations

Adversarial Resilience

Weight 10%95% conf

Concerning

48% critical ratio — highest in tracked portfolio

Operational Security

Weight 10%88% conf

Excellent

World-class security team (former NSA/GCHQ)
SOC2 Type II certified, 24/7 SOC
$1M+ bug bounty, professional incident response
Institutional-grade cold storage with HSMs

Cross-Chain Messaging

Weight 9%78% conf

Moderate

Base: single sequencer (Coinbase) — liveness SPOF
7-day withdrawal delay (standard OP Stack)
No fraud proof system live yet
PRIM-001 cross-chain replay is confirmed finding

Compositional Risk

Weight 5%78% conf

Good

cbETH is standalone ERC-20 with minimal external deps
Base inherits OP Stack (Bedrock) — well-audited
Smart Wallet has ERC-4337 + WebAuthn dependencies
Cross-chain replay risk on Smart Wallet (PRIM-001)

Cascade Exposure

Weight 5%50% conf

Excellent

No cross-protocol cascade exposure detected
Score: 95/100 (higher = more isolated from systemic risk)
Source: cross_protocol_composition.json dependency analysis

Supply Chain

Weight 4%90% conf

Strong

FiatToken pattern (same as USDC) — extremely well-audited
OP Stack (Bedrock) audited by Sherlock, Spearbit, OZ
Standard Solidity, OpenZeppelin libraries
No exotic dependencies

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Governance & Upgradeability40

Adversarial Resilience42

Access Control53

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2022-08-25Z-Factor 0.84811 active dimensions

Score History & Verification

Score provenance tracking begins with the next reassessment.

On-Chain Data

Protocol Slug: "coinbase"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("coinbase")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring Plans How Scores Work

Believe this score contains a factual error? Submit evidence for review →