How Coinbase Protects Users From Risky Assets

By Dan Kim — Vice President, Ecosystem and Listings

Tl;dr: Coinbase reviews thousands of crypto tokens; around 90% never get considered for listing as they do not meet our strict requirements for protection against scams like “pump-and-dumps” and “rug pulls.”

Our proprietary threat detection software has identified and blocked over 700 tokens with malicious software that can harm Coinbase users.

We also conduct in-depth research on project teams to ensure they don’t have a record of engaging in questionable business practices.

In order to get the next 100 million people into web3, we need to make it easy to buy, sell, and hold the safest and most reputable catalog of digital assets, and further solidify Coinbase as the most trusted bridge to the cryptoeconomy. We also need to make sure users are protected.

That’s why our goal at Coinbase is to list every asset that meets our industry-leading standards for risk, safety, and user protection: If an asset doesn’t meet those standards, we don’t list it.

We only announce the assets we have decided to list — not the ones that fail to meet our standards. But we’ve heard from many of you that you’d like to learn more about how we decide which assets are added to our roadmap.

How Coinbase reviews digital assets

We review assets based on applications submitted by project teams on Coinbase Asset Hub, as well as the thousands of other projects we track across the global web3 ecosystem.

The order in which we sequence asset reviews is not based on whether we think a project is popular or interesting. Our framework is much more objective and nuanced, and includes factors such as the legitimacy of a project’s white paper, integrity of their contributors, details of how their token works, and engagement levels of their user and developer communities. We only consider listing those assets that meet our rigorous guidelines for legality, safety, reputability, and technical integrability.

We do not list the majority of the tokens that we review. In fact, out of every 100 tokens we consider, only around 10 are identified as potential candidates for Coinbase Exchange, and fewer than that actually get approved for listing.

Today we’re sharing more details about the industry-leading tools, systems and methods we use to protect our users from dangerous digital assets.

How our threat detection software keeps users safe

Blockchain technology is constantly evolving, so any asset review system must be able to adapt with those changes.

That’s why Coinbase developed our proprietary secure trait analyzer, a safety-first, threat detection software that informs us if a token is designed in a way that can harm you or your crypto.

Our software automatically reviews tokens on all the blockchains we support, and identifies those programmed with software (also known as smart contracts) that can potentially harm Coinbase customers. The secure trait analyzer works by detecting specific patterns in smart contracts (which we call code signatures), and comparing them against our database of code signatures from previously analyzed smart contracts. The more smart contracts we review, the faster we’ll be able to distinguish the safer tokens from the riskier ones.

So far, our Listings team has used this automated system to identify over 700 tokens that didn’t meet our security standards due to critical risks, such as single individuals being able to automatically seize users’ funds or unilaterally drain account balances. The proprietary software has also helped us detect dangerous backdoor vulnerabilities — like those that can be used for rug pulls, in nearly one out of every four smart contracts we’ve reviewed.

Whenever we find things that aren’t safe, we ask project teams to take the appropriate measures to mitigate those risks. If they don’t, we don’t list their tokens.

Added security from comprehensive research

In addition to screening smart contracts with our threat detection software, we also conduct other types of detailed due diligence to protect our users.

That includes in-depth research into the project’s purpose, milestones, and key contributors to make sure we’re complying with regulations and identifying any potential connections to illicit activity.

To capture the most comprehensive view of all assets we consider for listing, we also perform on-chain and off-chain analyses of quantitative and qualitative signals — things like historical token prices and trading volume, ownership and vesting schedules, investment and financing history, market capitalization, community sentiment, technical roadmap, and information about how tokens are earned, burned, and distributed.

Digging deeper: Protecting users from bad actors

Beyond our security reviews, we take other important steps to protect our customers from scams.

Earlier this year, we implemented a fraud detection framework that expands our ability to identify even more factors that could potentially harm Coinbase customers. This analysis is specifically designed to evaluate consumer and business risks that might not show up when we review project whitepapers or analyze token smart contracts — things like key project contributors with a record of shady business practices or confirmed allegations of pump-and-dumps.

Since implementing this additional layer of protection, the Listings team has identified nearly 100 projects with tokens that we perceive to be high risk and have chosen not to list.

Coinbase is the most trusted platform for buying, selling, and exchanging digital assets. While we aim to list as many assets as we legally can, our priority is to protect our users. We’ve invested an enormous amount in tools and processes that weed out risky assets, and will continue working towards keeping all Coinbase users safe.


How Coinbase Protects Users From Risky Assets was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

2 September 2022 13:59

Prefer comparing real-time prices for all crypto's and providers?