Coinbase Review


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday February 24th, 2014 I was invited to the offices of Coinbase in San Francisco, as part of a voluntary cross-industry effort to provide independent review of the security of Coinbase customer funds. I am the Chief Security Officer at Blockchain, a bitcoin company that offers a web-wallet service that competes with some of Coinbase’s services. Prior to this day, I had not been to Coinbase’s offices, nor did I have any prior professional relationship with Coinbase. My visit was as an independent security expert with no financial control or interest in Coinbase. My goal during this visit was to validate the existence and security of customer funds.

During my visit, I met with the CEO and other executives and was presented with information on the mechanisms Coinbase uses to secure customer funds from theft, including their cold storage system and operating process.

I was shown an internal reporting tool used by Coinbase to verify total customer funds and the allocation of funds between the “hot wallet” and “cold storage” and funds in transit. Coinbase shared their process and technical details for cold storage, including their process to ensure funds cannot be retrieved from cold storage without the assembly of multiple keys controlled by different people.

While Coinbase publicly states that up to 97% of customer funds are in cold storage, at the time of my visit, their internal reporting tool showed that the cold storage system contained 98.8% of customer funds. To confirm for myself that these funds were in the cold storage system, I looked up the balance each of the cold storage addresses against the public blockchain, using an external site. The balance recorded on the public blockchain ledger for each of the addresses matched the balance recorded in Coinbase’s accounting system.

Although the accounting system and the blockchain balances appeared to match, I wanted to confirm that these addresses were actually controlled by Coinbase, thereby ensuring they controlled the funds. I randomly selected one of the cold storage addresses and requested that a transaction be signed to prove ownership of the address. This was not pre-arranged nor was there any warning that I would make such a request. Coinbase complied with my request and produced a transaction that proved they owned the cold storage address of my choosing.

Based on what I observed during my visit and my experience in security, it appears that the Coinbase system contains the expected funds and their cold storage system and process appear to be operating according to security best practices.

Andreas M. Antonopoulos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTDXNBAAoJEKFoxa4oeN5PRrgP/RN780GCopbTlzIxSU9nBeg5
Qxl/vCKRq+2uHzhyzc+bdj+RlcyvkdKHSD3Ms2/44xMve9kwifj3fkP030DceZdQ
IcrDBE5PRXkTILDnV8xwizXeT5a0ojHOKwsdK6IHl1my9yEOnCpQQZomy7joOAOa
Sa9xbd9LgmW93izh7EWtfYbjXEvjkVp8C96xwklclAXHDkFQiu4tma5Jil9HJA2+
vAZ9IC4BWmglXDficCRrpV5tRSAU7OhEkk6SIJD6STXKy6LzmsvkpXdTze08761z
noWdiGTWQlHZwAzHimrP90+PKMYTPCBklg/I4Tv2g3LD/3Al85ozgiz5neLHINmO
zVPGEii31/QtbHSbd0lXBFuCrxzA6x5HCwSnGN9vp0QSSVYNmA8mJoFirCDV9oNA
h89GF4sx2mSxxpcC4CA/4Q6QiV3I0MJhltUDKESXTyB71vT5gg/QydP8ZoifiGwE
e/FW2GhXI+I/L+L1XnER9zITfZ0DDTRueLBmcfL+ySiFLyGxGZdrr7o3+UVUor0z
MuPiOWnmXYsDUjkecwkYwsQoIWkzYs4OrTemBhLE7haXJQVFi+ATaODJQZoOpvdV
9aYM0PR9xGk+E2jD7vfhYw7RbjhwjSq5oiZxPG3jQvEJVb51aYw1tJFdFkqLj8ph
HPuuCmxBvLKEMn5VY3YJ
=63WZ
-----END PGP SIGNATURE-----