Coinbase Logo

Language and region

Security PSA: Securely designing and integrating with wallet services

Tl;dr: This blog post explores best practices for securely designing and interacting with wallet services. We share insights related to our fast-track incident response, "no secrets in databases" approach, and real-time balance verification.

By The Coinbase CryptoSec Team

Engineering

, December 20, 2023

pasted image 0 (29).png

After diving into the intricacies of protocol services in our previous blog, in this post we’ll explore another critical segment of cryptocurrency services—wallet services. Wallet services act as the interface between the blockchain stack and non-blockchain services, facilitating the execution of blockchain transactions by using Signer and Protocol services. These services offer an abstraction layer over blockchain-specific logic and secure key management, allowing seamless onchain operations across blockchain products.

Wallet Services for Blockchain Technologies

Fast Track Incident Response

Wallet services are not just transaction facilitators—they are the frontline defense in ensuring asset security. When anomalies like forks, reorgs, or flawed upgrades occur, these services offer the ideal entry point for immediate countermeasures and can be configured to further safeguard user assets during network uncertainties. Confirmation counts are a good example of one such wallet-level configuration which dictates how many blocks need to be mined on-chain before an exchange (or another creditor) considers the transaction final and credits the recipient’s account for the funds involved in the transaction. “Kill-switches” are another such configuration that effectively stops services from reacting to on-chain events.

Scenario: A blockchain network unexpectedly forks into 2 competing chains, causing uncertainty in the network with the potential for transactions to be double spent across the two chains.

Risk: A wallet service has no killswitch to halt its processing of blockchain transactions. Thus, the fork means that it is difficult to ensure the wallet is following the accurate branch of the chain. This could result in transactions being credited during an incident that later are reversed. 

What does Coinbase do?

Coinbase has designed wallet systems with the possibility of blockchain incidents as a high priority risk scenario. This has caused us to expose configuration options that allow incident response teams to make immediate, real-time adjustments, including rapid increase in confirmation count or temporarily pause the crediting of incoming deposits (i.e., “killswitch”). This agile response mechanism serves not just as a failsafe but as an active countermeasure system, allowing us to act swiftly to protect user assets as we work through incident response.

No Secrets in Databases 

Contrary to what one might expect, wallet services don’t store private keys; in our blockchain stack, this responsibility falls to the signer services. The existence of signer services, services responsible for producing digital signatures for cryptocurrency transactions by relying on a state store containing cryptocurrency private key material, allows us to unburden any other system from being responsible for storing and using a cryptocurrency private key. This design paradigm allows simple, high-level reasoning about wallet service risks, streamlining and reducing the chance of error in many types of security reviews.

Scenario: A data science team wants to perform analysis on the database of a wallet service.

Risk: Improper access to the database could result in secrets being exposed through the data analysis pipeline. To mitigate this risk, the data science team is required to obtain security reviews when performing data extraction operations, significantly extending the timeline for the work due to the threat modeling and security review required. 

What does Coinbase do?

Coinbase wallet services avoid storing secrets in their databases. This simplifies internal processes while drastically reducing the surface area for potential attacks or exposure of the secrets.

Balance Calculation Certainty

Blockchain protocols are susceptible to sudden upgrades that may change balance calculation logic, introducing variables like state rent, complex transaction fee logic, or constant inflation. 

Scenario: An unexpected protocol upgrade introduces a flat percentage transaction fee on all token transfers.

Risk: A wallet service relies on outdated transaction parsing logic that does not incorporate the transaction fee. Thus, when a customer makes a deposit, they are credited with more money than was actually deposited onchain. Depending on the logic of the network, it may be possible for a customer to withdraw and deposit repeatedly, turning a small balance miscalculation into a large theft from an exchange.

What does Coinbase do?

Coinbase leverages a redundant balance verification system. This system performs proactive detection and mitigation for inconsistent address balances. It also includes continuous, automated verifications on all wallet addresses with high-value addresses undergoing more frequent checks. Through this focused approach, we ensure that wallet balances remain accurate and secure, aligned with real-time blockchain states.

Providing Best in Class Security

In the crypto industry, Security isn't a luxury; it's an imperative and, while there is never a perfect security state, we are constantly working to make our products and services more secure. By sharing these practices, we hope to ensure a safer and more reliable environment for all participants in the ecosystem. Stay tuned for the next installment in our series where we'll delve into more aspects of blockchain security.

--

Coinbase practices and processes may evolve or change over time. Posts may not be updated to reflect those changes and should only be read to represent practices at the time of publication.

Coinbase logo