ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
Listen "Coinbase's Auditing Standards with Shashank Agrawal"
Episode Synopsis
Coinbase's security process protecting over $7 billion in TVL rejects the single-audit model common in DeFi. Shashank Agrawal, Senior Engineering Manager, Protocol Security at Coinbase, explains their multi-round validation approach: internal security teams (separated from product engineering) audit first, then external firms audit, and rounds continue until external auditors surface only lows and informationals—never highs or criticals.
This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room for error" standard when contracts hold substantial user funds. Their approach treats external auditors as verification layers rather than primary discovery mechanisms.
Topics discussed:
Multi-round audit methodology continuing until external firms find zero high-severity or critical issues
Internal security team structure operating independently from product engineering before external validation
Base bridge security requiring custom OP Stack validation independent of Optimism's audit coverage
In-house MPC library development using professor-reviewed specs bridging research papers to production implementation
Tabletop war gaming exercises simulating worst-case chain scenarios with security, engineering, legal, and compliance teams
Free Hexagate monitoring partnership providing base-layer protocol coverage for Base ecosystem builders
Security hiring process using live code audits at different complexity levels for senior (level 5) versus staff (level 6) positions
Off-chain infrastructure security: key management and transaction signing treated as equal priority to smart contract auditing
AI smart contract auditing tools showing current production limitations in determinism and false positive rates
Incident response planning where monitoring systems and alert workflows prioritize minute-by-minute decision speed
This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room for error" standard when contracts hold substantial user funds. Their approach treats external auditors as verification layers rather than primary discovery mechanisms.
Topics discussed:
Multi-round audit methodology continuing until external firms find zero high-severity or critical issues
Internal security team structure operating independently from product engineering before external validation
Base bridge security requiring custom OP Stack validation independent of Optimism's audit coverage
In-house MPC library development using professor-reviewed specs bridging research papers to production implementation
Tabletop war gaming exercises simulating worst-case chain scenarios with security, engineering, legal, and compliance teams
Free Hexagate monitoring partnership providing base-layer protocol coverage for Base ecosystem builders
Security hiring process using live code audits at different complexity levels for senior (level 5) versus staff (level 6) positions
Off-chain infrastructure security: key management and transaction signing treated as equal priority to smart contract auditing
AI smart contract auditing tools showing current production limitations in determinism and false positive rates
Incident response planning where monitoring systems and alert workflows prioritize minute-by-minute decision speed
More episodes of the podcast The Web3 Security Podcast
Centrifuge's serial audits: 6 security reviews that reshaped RWA architecture | Jeroen Offerijns
14/10/2025
Safe's $60B security stack: Formal verification, audits, and $1M bounties | Richard Meissner
08/10/2025
Gnosis validator sniping attacks: How to harvest MEV through IP mapping | Sebastian Bürgel
24/09/2025
Eigen Labs' 3-person team securing $23B in crypto: Restaking security at scale | Anto Joseph
09/09/2025
In God we trust