BlackHartBlackHart
Scores/Coinbase

Coinbase

TEMPERED

L2 / Staking / Wallet · Ethereum + Base · $11B+ TVL · 15 contracts

Confidence 77%Z-Factor 0.85Updated 2026-05-17Cross-chain assessedPublic Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

728
BRI Score
3004756508251000

Security Profile

Access Ctrl
53
Economic
82
Oracle
68
Compos.
78
Govern.
40
Maturity
88
Resilience
42
Supply Ch.
85
X-Chain
60
OpSec
66
Cascade
95
Min
40
Avg
69
Max
95

Audit History

OpenZeppelin (cbETH)
2022-08Report →
Sherlock (OP Stack/Bedrock)
2023-01
Coinbase Internal Security
2022-07

Bug Bounty Program

$1,000,000
Max payout on HackerOne
View Program →

Assessment

Institutional-grade OpSec and maturity offset by extreme centralization (D5=40) and 48 validated findings (23C+10H+15M). Highest critical ratio (48%) in tracked portfolio. C-BASENAME-001 (addr persistence through re-registration) further degrades access control.

Dimension Breakdown

How scores work →
Access Control
Weight 18%80% conf
53
Concerning
arrow_forward
+11Fully centralized admin (Coinbase controls minting, pausing, upgrades)
+11cbETH has a minter role controlled by single entity
+11Base sequencer is sole-operator
+11Smart Wallet upgradeToAndCall is cross-chain replayable
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%82% conf
82
Strong
arrow_forward
-6cbETH exchange-rate model (not rebasing) is simple and safe
-6Minimal MEV surface on staking derivative
-6No flash loan exposure on cbETH
+82Coinbase controls exchange rate oracle unilaterally
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%75% conf
68
Moderate
arrow_forward
+34cbETH exchange rate set by Coinbase internal oracle
-16No Chainlink, no TWAP, no on-chain verification
+34Base uses standard OP Stack state root oracle
-16Centralized oracle is trust assumption, not safety property
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%88% conf
88
Strong
arrow_forward
+18cbETH 33 months, Base 26 months, Coinbase Inc 12+ years
+18Zero exploits on any Coinbase on-chain component
+18Same FiatToken pattern as USDC (battle-tested)
+18OP Stack (Bedrock) underpins $50B+ in L2 TVL
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%85% conf
40
Concerning
arrow_forward
+13Single corporate entity (NASDAQ:COIN) controls ALL admin functions
-60No on-chain governance, no DAO, no token voting, no timelock
+13Any upgrade can be executed instantly
+13Mitigating: publicly-traded with SEC reporting obligations
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%95% conf
42
Concerning
  • 48% critical ratio — highest in tracked portfolio
Operational Security
Weight 10%60% conf
66
Moderate
arrow_forward
-17No branch protection detected
+11Active CI/CD (100% success rate)
+11Commit signing: 100% verified
+11Strong PR review culture (80% reviewed)
receipt_longView provenance chainarrow_forward
Cross-Chain Messaging
Weight 9%78% conf
60
Moderate
arrow_forward
+20Base: single sequencer (Coinbase) — liveness SPOF
+207-day withdrawal delay (standard OP Stack)
-40No fraud proof system live yet
+20PRIM-001 cross-chain replay is confirmed finding
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%78% conf
78
Good
arrow_forward
-11cbETH is standalone ERC-20 with minimal external deps
+39Base inherits OP Stack (Bedrock) — well-audited
+39Smart Wallet has ERC-4337 + WebAuthn dependencies
-11Cross-chain replay risk on Smart Wallet (PRIM-001)
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%50% conf
95
Excellent
arrow_forward
-2No cross-protocol cascade exposure detected
-2Score: 95/100 (higher = more isolated from systemic risk)
+95Source: cross_protocol_composition.json dependency analysis
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%90% conf
85
Strong
arrow_forward
+28FiatToken pattern (same as USDC) — extremely well-audited
+28OP Stack (Bedrock) audited by Sherlock, Spearbit, OZ
+28Standard Solidity, OpenZeppelin libraries
-15No exotic dependencies
receipt_longView provenance chainarrow_forward

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Governance & Upgradeability40
Adversarial Resilience42
Access Control53

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2022-08-25Z-Factor 0.84811 active dimensionsreceipt_longProvenance Ledger

Score History & Verification

Score provenance tracking begins with the next reassessment.

receipt_longView full provenance ledger →

On-Chain Data

Protocol Slug
"coinbase"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("coinbase")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring PlansHow Scores Work
Believe this score contains a factual error? Submit evidence for review →