Coinbase teaches you how to evaluate secure projects! These four points are the basic criteria for listing candidates.

A study found that in 2020, when Coinbase announced its "candidate" list for listing, buying nearly 20 cryptocurrencies upon the announcement resulted in over 20% return within just one week. While this could be attributed to the Coinbase brand effect, Coinbase also recently disclosed its criteria for selecting ERC-20 tokens. From a quality perspective, how does Coinbase choose these tokens? (Assuming they actually follow these criteria.) These concepts can also help you assess the credibility of a cryptocurrency project.

Security Assessment by Coinbase

Coinbase explained in a post on the 18th that when evaluating ERC-20 tokens for listing, they conduct four security reviews:

• Code verification
• Use of industry-standard libraries
• Limited privileged roles
• Simple, modular design

Coinbase stated that although the ERC-20 token standard is relatively simple, the practical application from a single smart contract to the entire ecosystem is very complex. These four review criteria are the basic conditions they use to protect users.

Coinbase: Code Verification is Key

Coinbase stated that this is the most important step for them when listing a token. The post mentioned that providing code for security engineers to audit and produce high-confidence comments is the least effort for issuers but offers the highest chance of being listed.

Coinbase also provided ways for code verification:

• Upload all smart contract code to trusted platforms (e.g., Etherscan)
• Put the code in a shared repository (e.g., GitHub), especially before deployment
• If the token is upgradable, express each stage of token upgrades with different release versions

Avoid 100% Originality: Harness Collective Wisdom

Coinbase advised against writing completely new smart contracts from scratch, echoing the saying "Don’t Roll Your Own Crypto," warning that individual developers or teams without experience may make mistakes in critical details, leading to token vulnerabilities. Coinbase believes that adhering to popular and rigorously reviewed open-source smart contract standards is the key to contract security.

They also offered some advice:

• Developers can obtain smart contract standards from shared repositories like OpenZeppelin.
• If developers need to deploy special functions like off-chain signatures or transaction hooks, they should follow the guidance of Ethereum Improvement Proposals (EIP).

Beware of Hidden Hands!

Regarding human elements, Coinbase mentioned that tokens often have some "privileged roles" known as "super users" who are owners, administrators, or controllers. In certain smart contracts, they possess significant power, enabling them to freeze transactions, alter balances, or even completely change token logic. Coinbase believes that the existence of such roles could jeopardize their ability to securely custody user assets, thus reducing the likelihood of listing.

Their recommendations include:

• Without permission, no role should be able to freeze, destroy, or modify user funds in any way.
• If feasible, token upgrades should require user consent rather than allowing privileged roles to unilaterally change smart contract functions.
• If the above conditions cannot be met, provide detailed policies and procedures for key management and usage, especially for parts that affect user balances. Ideally, keys should be held by qualified custodians who can demonstrate that critical roles are taken in accordance with the required number of legal entities.

Keep It Simple, No Need for Complexity

"From a security perspective, we like boring tokens," Coinbase stated. Although complex protocols can enhance token functionality, the tokens themselves do not need to be complex. Coinbase defines "simple" as reducing the components of a token project and "modular" as the distribution of logic and division of labor between contracts.

Their suggestion is that reducing token complexity can reduce the likelihood of failure:

• Separate token contracts from other parts of the protocol to keep token-related functions to a minimum.

• Reduce or eliminate reliance on external tokens.

• It's best to use fewer smart contracts to implement a token.

More Points to Note

In addition to the four main points, Coinbase also listed advanced conditions such as accepting audits of smart contracts by reputable audit firms, offering bug bounties for public assistance in auditing, and providing detailed documentation (token purpose, project architecture, disclosure of privileged roles, secure key management).

What Do Retail Investors Care About?

Security is indeed a fundamental requirement for all cryptocurrency investments. The scrutiny mentioned above actually goes beyond the scope of most ordinary investors. As mainstream centralized exchanges require a certain operational cost for listing and are responsible for protecting user assets, they are stakeholders in the interests of users. While centralized platforms review the tokens for listing, they also consider their own interests. Therefore, choosing to trade on large international centralized exchanges has met the basic token security review (although many tokens still face security issues…).

However, most retail investors are more likely concerned about whether they will be scammed and if they can make money. Even if the token contract itself is secure, it cannot prevent financial losses from investments.

"Information asymmetry" remains a pain point in the trading market. Although blockchain and cryptocurrency provide everyone with investment opportunities, the financing structures and market value management behind each project are often opaque or unreasonable. Investors who do not raise their vigilance can easily become victims of manipulation.

Recently, new cryptocurrencies traded on decentralized platforms like Uniswap have grown wildly like the Wild West. Without thorough research, investors may suffer significant financial losses despite the token contract being very secure, so caution is advised.