Coinbase Spend Permissions Competition Audit

Delegated Spend Permissions Security Review for Coinbase

Coinbase explored delegated token controls through its Spend Permissions system, enabling smart wallet users to grant granular approval to external apps. This framework supports structured allowances, time windows, and off-chain signatures across both EOAs and smart contract accounts.

To validate its integrity, Coinbase partnered with Cantina to run a crowdsourced security competition targeting the Spend Permissions codebase. Participants surfaced dozens of issues across approval logic, execution edge cases, and ERC-6492 signature behavior—highlighting potential denial-of-service conditions, trust model ambiguity, and lack of revocation checks in multi-actor environments.

Cantina supports secure permission systems with additional services such as security audits, bug bounty programs, and multisig security, ensuring robust access control across account abstraction and smart wallet deployments.