Coinbase Review

Hash: SHA1

On Monday February 24th, 2014 I was invited to the offices of Coinbase in San Francisco, as part of a voluntary cross-industry effort to provide independent review of the security of Coinbase customer funds. I am the Chief Security Officer at Blockchain, a bitcoin company that offers a web-wallet service that competes with some of Coinbase’s services. Prior to this day, I had not been to Coinbase’s offices, nor did I have any prior professional relationship with Coinbase. My visit was as an independent security expert with no financial control or interest in Coinbase. My goal during this visit was to validate the existence and security of customer funds.

During my visit, I met with the CEO and other executives and was presented with information on the mechanisms Coinbase uses to secure customer funds from theft, including their cold storage system and operating process.

I was shown an internal reporting tool used by Coinbase to verify total customer funds and the allocation of funds between the “hot wallet” and “cold storage” and funds in transit. Coinbase shared their process and technical details for cold storage, including their process to ensure funds cannot be retrieved from cold storage without the assembly of multiple keys controlled by different people.

While Coinbase publicly states that up to 97% of customer funds are in cold storage, at the time of my visit, their internal reporting tool showed that the cold storage system contained 98.8% of customer funds. To confirm for myself that these funds were in the cold storage system, I looked up the balance each of the cold storage addresses against the public blockchain, using an external site. The balance recorded on the public blockchain ledger for each of the addresses matched the balance recorded in Coinbase’s accounting system.

Although the accounting system and the blockchain balances appeared to match, I wanted to confirm that these addresses were actually controlled by Coinbase, thereby ensuring they controlled the funds. I randomly selected one of the cold storage addresses and requested that a transaction be signed to prove ownership of the address. This was not pre-arranged nor was there any warning that I would make such a request. Coinbase complied with my request and produced a transaction that proved they owned the cold storage address of my choosing.

Based on what I observed during my visit and my experience in security, it appears that the Coinbase system contains the expected funds and their cold storage system and process appear to be operating according to security best practices.

Andreas M. Antonopoulos
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools -