# Scan Notes: Coinbase `cb-mpc`

Date: 2026-02-15  
Repo: https://github.com/coinbase/cb-mpc  
Program: HackerOne Coinbase (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 57 findings
- 55 are `go.lang.security.audit.unsafe.use-of-unsafe-block` (expected in low-level/crypto code; not a report by itself)
- 2 additional findings are in vendored code:
  - `vendors/secp256k1/.github/actions/run-in-docker-action/action.yml` (GitHub Actions interpolation warning)
  - `vendors/github-action-benchmark/...` (child_process usage warning)

Trufflehog (filesystem, no verification):
- 2 detections in vendored test fixtures (fake token/URL patterns), not real secrets.

## Takeaway

No obvious bounty-grade appsec issue surfaced in automated scans. If we keep hunting here, it will likely be deep crypto/side-channel/memory-safety review rather than classic web vulns.