A macro view of Solidity token characteristics from our secure trait analyzer
Tl;dr: Coinbase has reviewed thousands of tokens written in Solidity using the secure trait analyzer tool. The results of our reviews reveal that unauthorized transfers and code mutability are the most common high-risk characteristics used in token projects.
Coinbase’s proprietary secure trait analyzer is a threat detection program that informs us if a token is designed in a way that can harm you or your crypto. The software leverages an industry-leading risk framework to help us understand a token project’s characteristics and execute security reviews to determine the confidence in custodiability of ERC-20 or ERC-721 tokens. Custodiability is the capacity to reliably receive, store, and send original or accrued balances of an asset.
To support new asset additions, Coinbase’s Blockchain Security team has reviewed thousands of unique token addresses totaling more than tens of thousands of unique functions. Through our security review framework and analyzer software, we can review ERC-20s/721s on a functional level and make recommendations on whether or not to support an asset.
In this blog post, we review the aggregated results of our security reviews to provide a macro perspective of smart contract characteristics. We’ve highlighted token statistics and provided insight into the potential custodiability risk vectors that could materialize under each characteristic. Finally, we provide recommendations on how to securely engage with Solidity tokens and reduce exposure to custodiability risks.
A macro view of smart contract functionality
The below statistics represent how often certain token characteristics have been seen across our thousands of completed smart contract reviews. We have also included details on custodiability risks associated with each characteristic and explain how they could potentially be exploited to result in unintended smart contact behavior. When high-risk characteristics are identified, we work directly with asset issuers to apply mitigations when possible.
Please note that the characteristics outlined above (sorted by highest potential impact) are only a subset of the characteristics that are evaluated within a security review; there are other factors and risks that are considered during each review.
Coinbase reviews every token for critical technical security risks before making a recommendation to partner teams on whether or not to support an asset. When smart contracts employ characteristics that have direct impacts on custodiability, our security frameworks require the function to be protected through decentralized decision-making (e.g. multisig or governance contract) or by revoking the privilege.
In order to maintain high confidence in custodiability in all the assets that we list on our exchange, Coinbase fails any asset that has dangerous functionality. Our secure trait analyzer inventories all function risk classifications across the thousands of assets reviewed and enables our Blockchain Security team to review ERC-20/ERC-721 assets at scale. Our secure trait analyzer currently holds over tens of thousands of functions with classified risks and this number grows every time we review a new EVM token. Quality assurance measures are in place to review our risk classifications and perform on-chain monitoring to detect if changes to an asset’s risk profile have occurred to trigger a re-review of the asset and further protect our customers.
What does it all mean for you?
At Coinbase, we believe that everyone deserves access to financial services that can help empower them to create a better life for themselves and their families. We understand that trust is built on dependable security — which is why we make protecting your account & your digital assets our number one priority.
If you are a crypto user and identifying technical security risks is not your forte - leave it to us: our team of experienced blockchain security professionals are experts in identifying and mitigating custodiability risks across various types of web3 protocols. Our dedicated Digital Asset & Protocol Security team is responsible for protecting users from these technical security risks and will never recommend an asset for listing when we do not have confidence in the asset’s custodiability.
If you are a web3 token developer and are looking to create and integrate with secure web3 products, avoid adding high-risk smart contract characteristics. However, if you need high-risk characteristics for a project, proactively apply mitigations to reduce risks for your token holders. If identifying and mitigating custodiability risks is not in your wheelhouse, then apply for listing with Coinbase. We will work with the development team to identify and mitigate risks in order to secure your token project.
We want our customers to engage with digital assets while having the confidence that their funds will always remain their funds. As users interact with more crypto projects and continue to explore the decentralized web, we want crypto participants to remain aware of the different risks that can materialize and make informed decisions when choosing to engage with smart contract projects.
