BTC is withdrawn from your Coinbase account, wrapped into cbBTC and deposited to a Morpho smart-contract vault – i.e., an ERC-20 representation, not native UTXOs.

Coinbase doesn’t reuse customer crypto without consent; cbBTC is locked in a Morpho contract and not rehypothecated. All borrower collateral is pooled in a single Morpho Blue market.

Coinbase’s Bitcoin-backed loans are treated as mainly “CeFi” because the BTC that backs cbBTC is held by a centralized custodian (Coinbase Custody). Because the product uses a wrapped asset, it introduces two custody layers. We split them in the model: the centralized custodian exposure is captured in Collateral = 4, while the cbBTC that borrowers pledge is commingled inside a single, immutable Morpho Blue vault, so the DeFi ladder assigns Custody = 4.

Morpho’s lending code has undergone dozens of public audits (Spearbit, OpenZeppelin, Runtime Verification) and is covered by a large bug-bounty program. Borrower keys come from Coinbase Smart Wallet passkeys; the on-chain wallet contract is open-source and audited, but the mobile/browser client remains closed-source and non-reproducible. Coinbase cosigner keys reside in HSM-backed cold storage, yet Chainlink oracle-signer key custody is undisclosed. A Chainlink mis-price on 29 May 2025 (deUSD at $1.03) wiped out ≈ $500 k on Avalanche, highlighting single-provider risk. Together these gaps place Coinbase-Morpho at Security & Governance = 7.

Coinbase-Morpho's Bitcoin-backed loan service runs on Base. Base is an Ethereum Layer-2 optimistic roll-up that posts its batches to Ethereum mainnet for final settlement and security. All in-flight transactions are ordered by a single sequencer operated by Coinbase, so liveness depends on one centralized node. That sequencer has already faltered once: on 5 September 2023 block production stopped for about 43 minutes before engineers restored the chain. Ethereum itself once executed a state-reversing hard fork after the 2016 DAO exploit.

Coinbase-Morpho pulls price data from a single on-chain Chainlink feed (via MorphoChainlinkOracleV2) for both BTC/USD and cbBTC/BTC. Chainlink is an independent, publicly auditable oracle, satisfying the “one independent feed” criterion, but the lack of a second source keeps the score above 2. The 29 May 2025 deUSD mis-price, which triggered ≈ $500k of liquidations on Avalanche when Chainlink’s VWAP logic flagged a stray trade, underscores why single-provider dependence is risky.

Max LTV 75% (email notice), liquidation at 86% → 11 pp buffer. No grace window. LTV moves continuously per loan within set guardrails.

Interest “varies every few seconds with each block” under Morpho’s AdaptiveCurve IRM; no APR cap or notice period.

Coinbase gives continuous, on-chain asset proof for cbBTC, but no comparable proof of liabilities and only partial, non-reproducible source-code openness.

Loans are disbursed in USDC.

Coinbase requires full photo-ID KYC for all customers; data is stored on centralized infrastructure.

One significant event inside 5-year window: May 2025 data-breach/extortion (PII leak); no loss of customer funds.

US MSB/NYDFS qualified custodian, SEC-registered public company.