The goal of Base is to onboard millions of developers and billions of users to blockchain. Security is an important component of this vision. We would like to share the security measures we have taken on Base so far, including how we have prepared for a secure mainnet release through internal and external security audits, as well as how we have leveraged Coinbase's best practices in on-chain security.
Secure by Open Source OP Stack
Base is built on the OP Stack, developed in collaboration with Optimism. This means that from the beginning, we have built on the extensive security work of the OP Labs team and the wider Optimism community, including multiple audits from professional firms and community competitions.
To further test the security of the OP Stack, Coinbase commissioned its Protocol Security team for an internal audit. Coinbase's Protocol Security team is a dedicated team that closely collaborates with on-chain developers in the company to ensure the secure implementation of any new products or services, including smart contract audits and novel blockchain review.
Over the past 6 months, the Protocol Security team has closely collaborated with OP Labs to enhance the security of Base and Optimism, including:
Audit of all Optimism pre-deployments and contracts, including L1 and L2, to identify vulnerabilities and risks in the technical stack.
Application of fuzz testing methods to key components such as L2 bridging and sequencers.
Development of operational playbooks for various risk scenarios and specific emergency events.
Review and audit of Base's key management setup and contracts. We meticulously assessed each role and identified the appropriate key management configuration to ensure proper consensus when using keys and developed comprehensive disaster recovery plans.
These thorough security processes have been completed without any critical vulnerabilities found, giving the Base team confidence to proceed with the mainnet release.
Expanding the Scope of External Audits
We know that good security requires collective effort - the more code reviews the better. To prepare for the mainnet launch of Base, we conducted a public smart contract audit competition through Code4rena, inviting a broader community to participate in order to discover and report any vulnerabilities in any part of the OP Stack. This includes vulnerabilities in OP node software, EVM equivalence, bridging vulnerabilities, and general smart contract issues. Meanwhile, Coinbase's Protocol Security team thoroughly reviewed the findings and mitigation measures of past audit programs (spearbit and sherlock).
In this competition, we attracted over 100 security researchers and are pleased to report that no significant vulnerabilities were found. Due to the high level of researcher involvement, we are actively addressing all submitted issues and ensuring appropriate actions are taken for any informational or minor issues reported.
Empowering the Ecosystem
In addition to protecting the security of the core OP Stack codebase, we are focused on enhancing the overall security of the Ethereum ecosystem. To strengthen the security of Base and support teams building chains based on the OP Stack, we are developing an open-source monitoring tool called Pessimism. This tool will provide timely notifications of anomalies in the protocol and network, such as abnormal account balances, contract events, or differences between L1 and L2 states. This new monitoring tool will be used in conjunction with existing OP Labs monitoring tools like Fault-Detector, Coinbase's internal blockchain monitoring capability, and third-party tools for identifying malicious and abnormal events. Stay tuned for more details about our monitoring tool in the coming months.
Furthermore, we are developing tools to increase developers' confidence in the security of their deployed smart contracts, including a smart contract security scanning tool. This tool will help developers reduce the chances of writing security vulnerabilities in their contracts. Developers can quickly and easily scan their contracts and obtain results from multiple open-source vulnerability detection tools, including Coinbase's proprietary security feature analyzer. Learn more about this work in our recent Coinbase blog post.
Launching the Mainnet with a Security-First Mindset
The development of Base has always prioritized security, combining Coinbase's security best practices and the decentralized security rigor of open-source codebases. Part of this involves starting from the assumption that malicious events can occur and recognizing that attacks will become increasingly sophisticated. Therefore, we have conducted simulations, tests, and improvements to our response capabilities in the event of a large-scale incident and the overall resilience of Base.
Our goal in all security work is to prevent attacks in advance and weaken the impact of these attacks. We are proud of the work we have done to ensure the security of Base, and although the best control measures can sometimes fail, we will always continue to learn and do better.
We are eager to soon launch Base on the mainnet and continue to build following strict security standards to ensure that developers can participate in the blockchain with confidence.
