The Loss Is Yours: Inside Coinbase’s Terms That Shift Liability to Users

When a Coinbase customer experiences losses after phishing, SIM-swap, or other credential compromise, several provisions in the U.S. Individual User Agreement may be relevant.

Below, we quote representative language and explain how these clauses can function in disputes.

This article is for informational purposes only and does not assert wrongdoing by any party.

This article addresses the current U.S. Individual User Agreement on Coinbase’s legal site and excerpts the precise sections Coinbase relies on in credential-theft disputes. Because Coinbase updates terms periodically, customers should always capture the agreement operative on the incident date and preserve a copy for the record.

Clause #1 — Risk of loss allocated to the customer

“Title to Supported Digital Assets shall at all times remain with you […] you shall bear all risk of loss.” (User Agreement §2.7.1, Ownership)

Because title remains with the user and the clause assigns risk of loss to the user, parties may argue that losses in an account are borne by the user absent an independent legal basis shifting or sharing that risk.

Clause #2 — Transactions using your credentials are presumed authorized

“When a […] transaction occurs using your credentials, we will assume that you authorized such transaction.” (Section 3.6)

“Reporting an unauthorized transaction does not guarantee Coinbase will be able to reverse the transaction or reimburse you for the transaction.” (Section 3.6)

In scenarios such as SIM-swap, spoofed-site, malware, or remote-access attacks, transfers signed with a user’s factors may be treated as authorized for platform purposes, and the agreement does not promise reversal or reimbursement upon later notice.

Clause #3 — No responsibility for losses from compromised credentials

“Coinbase will never […] ask you […] for your passwords, 2-factor codes, or to screen share […] Coinbase is not liable for any loss […] due to the compromise of your account login credentials.” (Section 6.7)

This clause frames losses arising from compromised login credentials (e.g., fake support calls, screen-share scams, SIM-swap, credential-stuffing) as user-side risk not attributed to Coinbase’s systems, complementing the presumption in §3.6.

Clause #4 — “AS IS” / no warranties & liability limits

“THE COINBASE SERVICES ARE PROVIDED ON AN ‘AS IS’ AND ‘AS AVAILABLE’ BASIS […].” (Section 8.2)

The agreement also includes disclaimers relating to service issues (e.g., “viruses,” “glitches, bugs, errors”) and limits certain categories of damages, subject to applicable law.

Potential effect in disputes. Even where a feature lagged or behaved unexpectedly, the no-warranty language and damages limitations may narrow contract-based recovery, subject to statutory carve-outs and jurisdiction-specific rules.

Reading the provisions together

One way to analyze these provisions is:

1. Allocation: title with the user → user bears risk (Section 2.7.1)
2. Authorization: activity with user credentials presumed authorized; notice alone doesn’t assure reversal (Section 3.6)
3. No-fault framing: credential compromise treated as external to Coinbase (Section 6.7)
4. Contract shields: “AS IS” / damages limits (Section 8.2)

Actual outcomes turn on the facts, applicable statutes, and governing law.

Case Study

Courts have addressed the enforceability of user-agreement clauses in cryptocurrency or digital-asset platforms, particularly those that allocate the risk of loss to users or include “AS IS”, no-warranty, or limitation-of-liability terms.

These cases often hinge on the interpretation of the user agreements, the presence of integration clauses, and the extent to which users are deemed to have accepted the terms.

Courts have also considered whether platforms have a legal duty beyond the terms explicitly agreed upon, especially in situations involving risks such as account compromise or loss of assets.

• In Archer v. Coinbase, Inc., 53 Cal. App. 5th 266, the court held that the cryptocurrency exchange platform was not liable for an investor’s breach of contract claim because the user agreement did not require the platform to support or provide services for a particular cryptocurrency. The agreement’s integration clause barred the use of parol evidence to impose additional obligations, and the platform had no legal duty beyond the agreed terms.

“When the parties to a written contract have agreed to it as an integration—a complete and final embodiment of the terms of an agreement—parol evidence cannot be used to add to or vary its terms.”

The court also rejected claims of conversion and negligence, emphasizing that the platform took no affirmative action to deprive the investor of the currency and had no duty to provide services beyond those agreed upon.

• In SEC v. Coinbase, Inc., 726 F. Supp. 3d 260, the court examined the risks associated with Coinbase’s staking program, noting that while users retained ownership of their crypto-assets, the assets were at risk of loss through mechanisms such as “slashing.” The user agreement limited Coinbase’s indemnification obligations, excluding losses caused by third parties, force majeure events, or other factors outside Coinbase’s control. The court highlighted that the risk of loss existed despite the absence of actual losses, and the agreement’s terms clearly allocated certain risks to the users.

“[…] once a customer’s crypto-assets are […] staked to the underlying blockchain protocol, those assets are at risk of being ‘slashed.’”

• In In re Celsius Network LLC, 649 B.R. 87, the court found that customers only had contract claims under the Terms of Use against the debtor, Celsius Network LLC, and not its affiliates.

“[…] the parties to the terms of use intended that only LLC, and not any other Debtor or non-Debtor affiliates, are liable to Customers on contract claims under the terms of use.”

The court emphasized that the Terms of Use, which customers were required to accept to access the platform, allowed the debtor to unilaterally update the terms. The updated terms defined “Celsius” to include the debtor and its affiliates, but the court determined that liability was limited to the debtor based on the terms and extrinsic evidence. The case underscores the enforceability of user agreements in defining the scope of liability and the allocation of risk.

FAQs (client-facing)

“I reported within hours—why wasn’t I reimbursed?”

Section 3.6 presumes transactions using your credentials were authorized and does not guarantee reversal or reimbursement upon notice. Whether remedies exist depends on the facts and applicable law beyond the contract.

“What if my carrier performed a SIM-swap?”

Section 6.7 states Coinbase is not liable for losses due to compromised login credentials. Any claims against other parties (e.g., a carrier) may involve different facts, evidence, and legal theories.

“What does ‘AS IS’ mean for my case?”

“No-warranty” language can narrow contract-based claims, though statutory protections (and any required carve-outs) may still apply. Outcomes turn on jurisdiction and facts.

Conclusion

The contract provisions discussed above don’t decide a case on their own—but they do set the lens. Read together, they can (i) place certain risks on the account holder, (ii) presume authorization for activity conducted with stored credentials or factors, and (iii) narrow warranty- and damages-based relief.

What actually matters is the record you build and the law that applies to it.

Contact Us

Even in difficult, credential-compromise scenarios, there are paths to evaluate and pursue.

With over six years of experience and a record of handling more than 100 consumer arbitration cases, we have  pursued claims against major cryptocurrency exchanges—including Coinbase, and leading phone carriers such as Verizon, T-Mobile, and AT&T.

Our attorneys are skilled in navigating proceedings before all major arbitration forums, including AAA, JAMS, and NAM.

We also represent victims whose digital assets were stolen not only from regulated exchanges but also from self-custody wallets like MetaMask and other decentralized platforms.

If you have suffered losses due to a SIM swapping incident or other cyber fraud, contact Corvane Linton Law Firm at help@corvanelinton.com to discuss your case and options for recovery.