Coinbase lost about $300,000 in token fees after mistakenly approving assets to a 0x Project smart contract, allowing a maximal extractable value (MEV) bot to drain the funds.
Deebeez, a security researcher at Venn Network, flagged the incident in a Wednesday post on X. He said Coinbase’s corporate wallet interacted with 0x’s “swapper” contract, a permissionless tool designed to execute swaps but not to receive token approvals.
Since anyone can call the contract to perform arbitrary actions, granting approvals can expose assets to immediate theft. “This same swapper is known to have had issues with Zora claims on Base,” the researcher wrote, linking to past cases where the setup enabled malicious actors to extract funds without exploiting code vulnerabilities.
Screenshots shared by Deebeez showed Coinbase granting approvals for tokens including Amp, MyOneProtocol, DEXTools and Swell Network on Wednesday afternoon. Soon after, an MEV bot called the swapper contract to transfer the approved tokens from Coinbase’s fee receiver account into its addresses.
Related: MEV arbitrageurs on Ethereum increasingly centralized
MEV bot lurking in the dark
Deebeez said the MEV bot that drained funds from Coinbase had been “lurking in the dark,” waiting for users to mistakenly approve the contract to drain all their funds. “Their dream came true thanks to Coinbase,” the researcher wrote.
The researcher added that the incident, which drained the Coinbase fee receiver account of all its tokens, was an “expensive lesson” for the team.
Coinbase chief security officer Philip Martin confirmed the incident, describing it as an “isolated issue” linked to a configuration change in one of the exchange’s corporate DEX wallets.
“No customer funds were affected,” Martin said, adding that Coinbase revoked the token allowances and moved remaining funds to a new corporate wallet.
Related: Crypto MEV Bot launches crypto trading bot for individual and enterprise traders
MEV bot exploit costs $180,000 in Ether
In April, a MEV bot lost $180,000 in Ether (ETH) after an attacker exploited a vulnerability in its access control system. The attacker reportedly swapped the bot’s ETH for a worthless token via a malicious pool created within the same transaction.
In a similar incident in 2023, a rogue validator exploited MEV bots attempting “sandwich trades,” stealing $25 million in digital assets, including WBTC (WBTC), USDC (USDC), USDt (USDT), DAI (DAI) and WETH (WETH).
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
