Coinbase

Coinbase Spend Permissions Contract Audit

Cantina Security Report

Organization

@Coinbase

Engagement Type

Cantina Reviews

Period

-

Repositories

N/A

Researchers


Signature Path and Wallet Ownership Audit of Coinbase Spend Permissions

Coinbase is extending its smart wallet infrastructure with Spend Permissions—a delegated authorization system that enables apps to request token spending allowances with cryptographic guarantees. This system supports EOA and contract wallets and integrates with ERC-6492 for flexible signature flows.

To validate this logic, Coinbase engaged Cantina for a security audits review. The audit surfaced two critical issues involving ERC-6492 signature routing, enabling scenarios where malicious inputs could drain smart wallets by bypassing owner index checks or submitting counterfactual signatures through manipulated call batches. Additional risks were found in approval logic, unguarded recipient execution, and insufficient period validation.

Cantina supports wallet-based authorization frameworks with robust protections such as bug bounty programs, crowdsourced security competitions, and multisig security, helping teams like Coinbase deploy permissioned token flows with cryptographic safety.


Findings

Critical Risk

2 findings

2 fixed

0 acknowledged

Medium Risk

1 findings

1 fixed

0 acknowledged

Low Risk

2 findings

2 fixed

0 acknowledged

Informational

1 findings

0 fixed

1 acknowledged

Gas Optimizations

1 findings

0 fixed

1 acknowledged