Braintrust – Safe Wallet and Coinbase Integration

Freelance Labs, Inc. engaged Composable Security to conduct an in-depth security review of Braintrust, a decentralized talent network. The primary objective was to ensure the secure expansion of the Braintrust platform onto the Base network, validate integrations with third-party services such as Coinbase Onramp, and secure the wallet infrastructure used by its users.

Basic information

Project type: Decentralized Talent Marketplace

Service: Security consultation and audit (web application, API, and smart contracts)

Results: All 2 high and 5 medium-risk vulnerabilities were successfully resolved. 6 low-risk issues were either acknowledged or fixed. Recommendations for long-term security practices and infrastructure improvements were delivered and partially implemented.

About the Braintrust

Freelance Labs, Inc. is the team behind Braintrust, a decentralized network that connects skilled professionals with top-tier organizations. Built on web3 principles, Braintrust rewards contributors with its native BTRST token and offers features beyond job matching, including reference systems, career guidance, and AI-enhanced tools.

As the platform scaled, it became essential to safeguard its growing infrastructure and user base through robust security practices.

Visit website: https://www.usebraintrust.com/

About the service scope

The project involved complex integrations across multiple platforms – smart contracts on Base, a proprietary Token API, and third-party services like Coinbase Onramp. The team worked with multiple backend repositories under active development, which posed challenges in maintaining code clarity and traceability. Time constraints and the need to preserve business continuity further shaped the review strategy.

The subjects of the test were selected contracts from the Braintrust repository.

• Smart contracts security review
  • Deployed contract: BTRST Token on BASE
• Penetration test based on security consultation for:
  • Braintrust Token API
  • Repository: https://git.hexocean.com/braintrust-token-api/token-api-backend
  • Commit: af8c5f1e6cd88dc4745da7774ed410d15baf65af
• Braintrust App
  • Repository: https://git.hexocean.com/mb/braintrust
  • Commit: ee590032ae0bba712660fb0fc2d221f39571c876

Initial challenges and constraints:

• Multi-repo architecture: The platform’s backend was split across two active repositories – the Braintrust Token API and the main Braintrust app – both under continual development. This required precise coordination during testing and retesting.
• Third-party dependencies: The integration with Coinbase Onramp introduced additional attack surfaces, particularly around parameter validation and external token delivery, which demanded in-depth validation beyond standard API security.
• Escrow logic complexity: A key feature of the platform involves locking and releasing tokens based on job completion. This required careful inspection of logic tied to multiple user actions (askers, receivers) and state transitions.

Defined objectives:

• Ensure secure integration with the Coinbase Onramp, validating that only the correct token (BTRST) could be purchased and that funds were properly routed to user-specific Safe wallets.
• Audit the Safe wallet system, which generates individual wallets for users, to prevent unauthorized transfers or wallet takeovers.
• Assess the backend logic and API access control, identifying any potential for unauthorized transactions, logic bypasses, or denial of service scenarios.
• Validate smart contract security on the Base network, ensuring compliance with standard token deployment practices and that no modifications introduced vulnerabilities.
• Answer focused consultation questions related to the escrow system, token transfers, refund processes, and Coinbase integration security.
• Provide clear, actionable recommendations for both immediate fixes and long-term security improvements.

Identified threats

As before every smart contract audit, thorough threat modeling was performed. The results were made available to the client for joint analysis.

Key assets that require protection:

• CDP Key and API Keys
• BTRST tokens

Potential attackers goals:

• Unauthorized transfer of tokens via API
• Unauthorized mint of tokens
• Takeover of the Safe wallet by the user
• Takeover of the Safe waller by the attacker using a pre-generated wallet
• Fake events
• Unauthorized transfer of tokens within BTRST Payments
• Lock of BTRST tokens in payment escrow mechanism
• Token theft from escrow mechanism
• Payment with a fake token
• Refunding delivered work
• Bypassing the fee
• Insecure integration with Coinbase Ramp
• Denial of Service

Potential scenarios to achieve the indicated attacker’s goals:

• Forging signer’s signature
• Using less valued token to increase the balance
• Omitting events
• Spoofing Safe wallet address
• DoS through low gas limit
• DoS through multiple small txs
• DoS through spaming wallet creation actions
• Lack of compliance with Base tokens standard deployment process
• Inability to bridge the token
• Deposit of fake token
• Front-running wallet creation
• Influence or bypass the business logic of the system
• Take advantage of arithmetic errors
• Privilege escalation through incorrect access control to functions or badly written modifiers
• Existence of known vulnerabilities (e.g., front-running, re-entrancy)
• Design issues
• Excessive power, too much in relation to the declared one
• Poor security against taking over the managing account
• Private key compromise, rug-pull
• Withdrawal of more funds than expected
• Modifying or executing submitted transactions

More can be found in the report.

Smart contract audit results

A comprehensive security review outlined six vulnerabilities (1 high, 2 medium, 3 low) and one additional recommendation.

Key findings:

• [High Severity] Race condition on BTRST payments and withdrawals

• [High Severity] Improper validation of Coinbase transaction

• [Medium Severity] Invalid Safe wallet selection
• [Medium Severity] Reverts on Safe wallet multi transfers
• [Medium Severity] Improper event logs parsing
• [Medium Severity] Improper validation of the signature
• [Medium Severity] Withdrawal limit bypass

• Other findings included exceeding reward cap, invalid error message, use one key per wallet, invalid BTRST balance when Token API is not working, session ID leakage and long session age.

The engagement resulted in substantial security improvements across the Braintrust platform.

Key outcomes included:

• Full remediation of high-risk vulnerabilities, including a race condition in the withdrawal logic and improper validation of third-party Coinbase transactions. These issues, if left unresolved, could have enabled overspending or token balance manipulation.
• Strengthened wallet handling, with fixes addressing issues like invalid Safe wallet selection, insufficient withdrawal limit enforcement, and reliance on inactive wallet states. These changes ensure that token operations are accurate and reliably linked to active user accounts.
• Improved multi-transfer logic in Safe wallets, mitigating risks of internal transaction reverts due to under-provisioned gas limits. Dynamic gas calculations and transfer count constraints were implemented to safeguard these operations.
• Implemented secure integration with Coinbase Onramp using session tokens, ensuring that token purchase parameters cannot be tampered with. This prevents users from substituting different tokens or rerouting funds to unauthorized addresses.
• Reduced exposure of sensitive information, including the encryption of session identifiers and plans to shorten session cookie duration, improving client-side resilience against session hijacking.
• Smart contract validation confirmed that the BTRST token on Base adhered to deployment standards and was free from logic errors or inconsistent behavior.

Composable Security emphasized collaboration and clarity throughout the audit, ensuring that Freelance Labs, Inc. could both resolve vulnerabilities and build longer-term security capacity:

• Ongoing issue reporting: Findings were shared continuously as they were discovered, allowing the client’s development team to begin remediation early and avoid security debt.
• Dedicated consultation space: A shared Confluence workspace facilitated structured Q&A, feedback loops, and traceability of decisions across both engineering teams.
• Contextual developer support: Each issue included technical context, commit-level references, and secure design recommendations.
• Post-audit recommendations: Composable Security delivered best practice guidelines, encouraging the use of automated tooling (like slither), formal threat modeling, and adoption of the Smart Contract Security Verification Standard (SCSVS).
• Retest walkthrough: After initial fixes, a structured retest confirmed resolution of all major issues. The team also discussed open items marked as “acknowledged,” helping the client track deferred enhancements and their risk profiles.

Client rating