Coinbase Wrapped BTC (cbBTC) on Aave Monad Assessments

[Asset Technical Assessment] cbBTC on Aave V3 Monad

Author: Aave Labs

Date: 2026-06-30


Summary

Technical assessment of cbBTC (Coinbase Wrapped BTC) for onboarding to Aave V3 Monad, following the Technical Asset Listing Framework.

Overall result: :yellow_circle: MEDIUM :yellow_circle:

cbBTC on Monad is a canonical Chainlink Cross-Chain Interoperability Protocol (CCIP) deployment: a standard burn-and-mint token pool is the only entity allowed to mint or burn, the escrow on Base fully backs the outstanding Monad supply, the bridge has working rate limits, and a suitable 8-decimal Chainlink price feed already exists on Monad. All privileged control routes through a Chainlink-operated signer mesh (MCMS) that proposes to a timelock, with no externally owned account (EOA) holding mint or upgrade authority. The caveat that keeps this from a Good rating is a governance timelock delay of 3 hours (below the 24-hour bar) that governs the token upgrade path, all token roles, and the bridge configuration.

Listing Recommendation

From a technical standpoint, cbBTC on Aave V3 Monad is eligible for listing, with conditions to surface. The governance timelock delay is 3 hours, below the 24-hour bar for an asset whose admin can rewrite the contract or reconfigure the bridge; shortening reaction risk by raising the delay is recommended, though it is not a blocker for an initial listing and should be revisited as exposure grows. Both a BTC/USD feed and an asset-specific CBBTC/USD feed are live on Monad.

Asset under review

Field Value
Asset Coinbase Wrapped BTC (cbBTC)
Target chain Monad (chain ID 143)
Target market Aave V3 Monad
Token contract 0xd18B7EC58Cdf4876f6AFebd3Ed1730e4Ce10414b (proxy)
Native to target chain? No. Bridged from Base via a Chainlink CCIP burn-and-mint token pool; the backing cbBTC is locked in an escrow pool on Base.
AAcA classification Wrapped / tokenized BTC (not yield-bearing)

cbBTC is a Bitcoin-backed token where each unit represents 1 BTC held in custody by Coinbase. The canonical cbBTC lives on Base and Ethereum. To place cbBTC on Monad, the Chainlink CCIP bridge locks cbBTC in an escrow pool on Base and mints an equal amount on Monad; to leave, the Monad tokens are burned and the Base escrow is released. The Monad representation therefore carries two stacked trust assumptions: the off-chain custodian holding the BTC and the cross-chain bridge that controls minting on Monad.

0. Pre-screening

cbBTC is deployed and verified on Monad at 0xd18B7EC58Cdf4876f6AFebd3Ed1730e4Ce10414b, a transparent proxy whose implementation is the Chainlink Cross-Chain Token (CCT) contract BurnMintERC20PausableFreezableTransparent, built on OpenZeppelin upgradeable 5.0.2. It is a mainstream wrapped BTC collateral asset, not in any non-approved or sanctioned category. cbBTC is listed on other Aave deployments for its Base and Ethereum representations; those are different chain representations of the same asset and serve as references only, with the Monad representation assessed on its own on-chain evidence. The deployed implementation bytecode is verified against that source.

Rating: :green_circle: GOOD :green_circle:

1. ERC20 Compliance

cbBTC on Monad is a standard OpenZeppelin 5.0.2 ERC20 with 8 decimals: transfer() and transferFrom() return bool, with no fee on transfer, no rebasing, no ERC777 or ERC1363 hooks, and no flash mint. There is no whitelist for holding or transferring by default. A per-address freeze (a compliance control) can block transfers for frozen addresses, with the default state unfrozen; this capability is covered in Section 3. The 8-decimal precision matches the Aave oracle standard.

Rating: :green_circle: GOOD :green_circle:

2. Oracle

Two Low Market Pricing Risk, 8-decimal Chainlink feeds are live and fresh on Monad: an asset-specific CBBTC/USD feed with a 5% deviation threshold and 1-hour heartbeat, and a BTC/USD feed with a 2% deviation threshold and the same heartbeat. At review both feeds were updating well inside their heartbeat and their prices agreed, confirming the CBBTC/USD feed tracks BTC.

Rating: :green_circle: GOOD :green_circle:

3. Access Control

No EOA holds any privileged role: the token’s admin, pause, freeze, and proxy-upgrade authority all route to a Chainlink RBACTimelock, and mint and burn authority sit only with the CCIP burn-and-mint token pool, which is itself owned by that timelock. The timelock is driven by a Chainlink-operated signer mesh (MCMS). The token can globally pause and can freeze arbitrary addresses, both of which block transfers and could therefore block an Aave liquidation; these powers are held by the timelock, not an EOA, so they cannot be triggered instantly. The token has no fixed supply ceiling (maxSupply() returns 0), so the effective limit on minting is the bridge inbound rate limiter rather than a token cap, and that limiter is raisable by the same governing timelock.

Rating: :yellow_circle: MEDIUM :yellow_circle: → the governance timelock delay is 3 hours, below the 24-hour bar, and governs the upgrade path, all token roles, and the bridge configuration; pause and freeze can block liquidations; and the only effective mint limit is a rate limiter raisable by that timelock.

4. Exchange Rate and Yield

Not applicable. cbBTC is a 1:1 BTC wrapper with no yield, no exchange rate adapter, and no convertToAssets or pricePerShare method. Value tracks BTC directly through the price feed described in Section 2.

Rating: :white_circle: N/A :white_circle:

5. Token Architecture

cbBTC on Monad is a single proxy holding a single supply, minted and burned only through the CCIP token pool, with supply equal to the amount bridged in minus the amount bridged out. Mint and burn emit standard ERC20 Transfer events for observability, and all privileged functions are access-controlled. The token logic contains no tx.origin authorization and no delegatecall beyond the standard transparent-proxy delegation to the implementation. No duplicate or migration contract exists: there is exactly one cbBTC token on Monad, the assessed proxy.

Rating: :green_circle: GOOD :green_circle:

6. Bridge and Cross-Chain Risk

cbBTC on Monad is a canonical Chainlink CCIP Cross-Chain Token deployment with a strict hub-and-spoke topology: Base is the hub, where a lock-and-release pool escrows canonical cbBTC, and Monad is a burn-and-mint spoke whose pool peers only with Base, leaving no spoke-to-spoke route. The CCIP token pool is the sole mint authority on Monad, with no other bridge provider registered and no cross-provider redundancy; inbound and outbound rate limits are enabled in both directions and the Base escrow fully backs all outstanding spoke supply, re-verified on-chain. Privileged control on both the Base hub and the Monad spoke routes through a Chainlink-operated signer mesh (MCMS) and timelock contracts with no EOA, and the timelock on each chain enforces a 3-hour delay.

Rating: :yellow_circle: MEDIUM :yellow_circle: → the Base and Monad timelocks each carry only a 3-hour delay, the mint limit is a raisable rate limiter rather than a token cap, and the design uses a single bridge provider and single hub escrow.

7. Audit and Security History

The deployed code is from the audited Chainlink CCT and CCIP family, on OpenZeppelin upgradeable 5.0.2, with verified source on-chain. Coinbase backs cbBTC 1:1 with BTC and runs a smart-contract bug bounty on Cantina with a $5,000,000 total pool in which cbBTC is named in the top-tier scope. No cbBTC or CCIP Cross-Chain Token exploit is known, and no open Critical or High finding is known. The residual gap is that the audit reports for the deployed code are not public; Aave Labs had access to them for this assessment, but they cannot be independently verified by the community.

Rating: :yellow_circle: MEDIUM :yellow_circle: → the deployed code derives from the audited Chainlink CCT and CCIP stack with no known exploit or open Critical or High finding; the audit reports are not public, though Aave Labs had access to them for this assessment.

8. Dependencies

cbBTC on Monad has two production dependencies: the off-chain BTC custody held by Coinbase, which is the ultimate backing and cannot be verified from Monad, and the Chainlink CCIP bridge, which holds the token’s mint and burn authority. Coinbase publishes a Chainlink Proof-of-Reserve feed for cbBTC on Base, but no such feed exists on Monad, so the backing is not provable from the target chain, which is inherent to a custodial wrapped asset. Both dependencies are governed by multisig and timelock with no EOA, but the token and bridge share governance roots, so a bridge governance compromise is a token supply compromise. Liquidators can sell cbBTC on Monad pools or bridge it back to Base, subject to the token not being paused and the position not being frozen.

Rating: :yellow_circle: MEDIUM :yellow_circle: → the off-chain BTC custody is not provable from Monad, and the token and bridge share governance roots gated by a 3-hour timelock.

9. Summary

Findings table

Area Key finding Rating
0. Pre-screening Deployed and verified on Monad; transparent proxy on the Chainlink CCT BurnMintERC20PausableFreezableTransparent implementation (OpenZeppelin upgradeable 5.0.2); mainstream wrapped BTC, not sanctioned. Good
1. ERC20 Standard OpenZeppelin 5.0.2 ERC20 with 8 decimals; returns bool, no fee on transfer, no rebase, no hooks, no flash mint; per-address freeze present (default unfrozen). Good
2. Oracle Two live, fresh Low-risk 8-decimal Chainlink feeds on Monad (BTC/USD at 2% deviation, CBBTC/USD at 5% deviation); BTC/USD is the preferable source. Good
3. Access control No EOA holds any role; admin, pause, freeze, and upgrade route to a 3-hour timelock driven by a Chainlink-operated signer mesh (MCMS); mint and burn sit only with the CCIP pool; no token supply cap, only a raisable bridge rate limit; pause and freeze can block liquidations. Medium
4. Exchange rate / yield Not yield-bearing; 1:1 BTC wrapper; no exchange rate adapter; value tracks BTC via the price feed. N/A
5. Token architecture Single proxy, single supply, mint and burn only via the CCIP pool, events emitted; no tx.origin, no delegatecall beyond proxy delegation; no duplicate supply path. Good
6. Bridge and cross-chain Canonical CCIP burn-and-mint spoke off a Base lock-and-release hub; escrow fully backs spoke supply; rate limits enabled both directions; no EOA; 3-hour timelock on both legs; single provider and single hub. Medium
7. Audit and security Built from the audited Chainlink CCT and CCIP stack on OpenZeppelin upgradeable 5.0.2; verified on-chain; no known exploit or open Critical or High finding; audit reports not public. Medium
8. Dependencies Off-chain Coinbase BTC custody (not provable from Monad) and the Chainlink CCIP bridge; both governed by multisig and timelock, no EOA; token and bridge share governance roots. Medium

Disclaimer

Aave Labs has no formal or informal affiliation with Coinbase or the cbBTC issuer beyond this technical assessment. Aave Labs has not been compensated by Coinbase or any related party in connection with this work.

Copyright

Copyright and related rights waived via CC0.