Coinbase Spend Permissions Contract Audit
Cantina Security Report
Organization
- @Coinbase
Engagement Type
Cantina Reviews
Period
-
Repositories
N/A
Signature Path and Wallet Ownership Audit of Coinbase Spend Permissions
Coinbase is extending its smart wallet infrastructure with Spend Permissions—a delegated authorization system that enables apps to request token spending allowances with cryptographic guarantees. This system supports EOA and contract wallets and integrates with ERC-6492 for flexible signature flows.
To validate this logic, Coinbase engaged Cantina for a security audits review. The audit surfaced two critical issues involving ERC-6492 signature routing, enabling scenarios where malicious inputs could drain smart wallets by bypassing owner index checks or submitting counterfactual signatures through manipulated call batches. Additional risks were found in approval logic, unguarded recipient execution, and insufficient period validation.
Cantina supports wallet-based authorization frameworks with robust protections such as bug bounty programs, crowdsourced security competitions, and multisig security, helping teams like Coinbase deploy permissioned token flows with cryptographic safety.
Findings
Critical Risk
2 findings
2 fixed
0 acknowledged
Medium Risk
1 findings
1 fixed
0 acknowledged
Low Risk
2 findings
2 fixed
0 acknowledged
Informational
1 findings
0 fixed
1 acknowledged
Gas Optimizations
1 findings
0 fixed
1 acknowledged