Coinbase's Base MCP Relies on Human Vigilance to Mitigate Risks

The recent launch of Base MCP by Coinbase has sparked debate over its security features. The system is touted as non-custodial, meaning the server never touches the private keys, and every write action requires user approval through Base Account. However, critics argue that this design relocates risk rather than removing it, placing it squarely on the user.

Base MCP operates on Anthropic's Model Context Protocol, which allows assistants to prepare actions and leave them pending for user review. This approach has several benefits, including reducing phishing exposure and cutting some transaction risks. The system also uses OAuth 2.1 for authentication and has partnered with various DeFi protocols, including Uniswap, Morpho, and Moonwell.

Despite these advancements, security experts warn that the risk does not disappear but rather moves to a new layer, the approval layer and the broader agent stack. This includes vulnerabilities such as prompt injection, where malicious instructions can be hidden in links or plugins, pushing the agent towards unwanted actions. The system also relies on user vigilance, which is often compromised by approval fatigue.

Critics argue that Base MCP's design creates a trade-off between convenience and security. While it streamlines the approval flow through an open standard, it requires users to be constantly vigilant and review every operation carefully. This can lead to friction in DeFi applications, where frequent transactions are common. The x402 micropayments protocol is cited as an example of this issue.