Coinbase Extension Secure

Advanced Security Architecture & Threat Model (Approx. 450 words)

Security is the non-negotiable foundation of the Coinbase Extension. Our architecture employs a multi-layered, zero-trust approach, designed specifically to mitigate common extension-based attack vectors, such as side-channel attacks and supply-chain compromises. The wallet secrets—which include private keys and recovery seeds—are never stored in plaintext within the browser's persistent storage. Instead, they are encrypted using AES-256 GCM mode with a master key derived via a user-defined password and a minimum of 100,000 rounds of PBKDF2 hashing, ensuring computational difficulty for brute-force attacks. This key derivation process is executed exclusively in a secure, isolated Web Worker thread, preventing main-thread execution blocking and reducing exposure to XSS vulnerabilities. The encryption key is held transiently in memory only for the duration of an active, authenticated session and is immediately purged upon session inactivity or manual log-out.

**Network Isolation and CSP:** The extension operates under a strict Content Security Policy (CSP), aggressively whitelisting approved domains (only Coinbase API endpoints are permitted). All external scripts, analytics, and third-party resources are blocked by default, drastically minimizing the surface area for injection attacks. Furthermore, all transaction signing requests are processed in a dedicated background service worker. This service worker communicates with the content script via secure, authenticated messaging channels, ensuring that sensitive data never touches the DOM of the active web page. This network isolation prevents malicious websites from eavesdropping on the extension's communications or manipulating transaction payloads before signing. Every outgoing API request is cryptographically signed with an ephemeral session token, verifying its integrity and origin.

**Transaction Review and Phishing Resistance:** Before any transaction is broadcast to the network, the user is presented with a mandatory, human-readable review screen detailing the recipient address, asset amount, network fee, and an estimated gas limit. This confirmation screen is rendered in a separate, sandboxed iframe or a new popup window, making it significantly harder for malicious scripts on the active tab to overlay or spoof the critical details—a critical measure against transaction-signing phishing attacks (blind signing). We employ a robust, real-time address validation service that flags known scam addresses or addresses associated with recent security incidents, providing an additional layer of warning to the user. Time-based One-Time Password (TOTP) is mandatory for transactions exceeding user-defined thresholds, enforcing two-factor authentication for high-value operations.

**Code Auditing and Continuous Integration:** The open-source components of the extension are subject to continuous security auditing using automated static analysis tools (SAST) and dynamic analysis tools (DAST). Furthermore, the core cryptographic library dependencies are vendored and meticulously audited to ensure compliance with FIPS 140-2 standards where applicable. Updates are deployed using browser-native update mechanisms but require multi-signature approval from the Coinbase security team before being pushed to production channels. This rigorous process minimizes the risk of unauthorized code changes. The extension also includes hardware wallet support (simulated integration with Ledger/Trezor protocols), ensuring that the ultimate signing authority resides off-device, which is the highest security standard for hot wallets. This design means even if the extension's operating environment were compromised, the private keys would remain protected by the physical hardware device. The combination of local encryption, stringent CSP, network isolation, and mandatory human review constitutes a comprehensive security posture designed for institutional-grade safety in a consumer-friendly interface.