Coinbase Loses $300,000 to MEV Bots After Token Swap Misconfiguration

Generated by AI AgentCoin World
Thursday, Aug 14, 2025 4:36 am ET1min read
BTC
--
COIN
--
ZRX
--
Aime RobotAime Summary

- Coinbase lost $300,000 after a misconfigured 0xProject token swap platform enabled MEV bots to drain its fee-receiving account via unlimited token approvals.

- A pseudonymous researcher revealed the 0x swapper was improperly used for token approvals, creating a vulnerability previously exploited on the Base network.

- Coinbase's Chief Security Officer confirmed the error stemmed from a corporate DEX wallet modification, prompting revoked allowances and migration to a new wallet.

- This follows a 2023 insider breach affecting 70,000 users, as Coinbase strengthens security protocols to address smart contract risks and MEV exploitation challenges.

Coinbase, the largest U.S.-based cryptocurrency exchange, reportedly lost $300,000 after a misconfiguration involving 0xProject’s token swap platform allowed malicious MEV (Maximal Extractable Value) bots to exploit its system. On Aug. 13, a pseudonymous security researcher known as Deebeez revealed that

Coinbase
mistakenly used 0x’s swapper contract to approve tokens, a function it was never designed for [1]. This error granted the bots unlimited access to the tokens stored in Coinbase’s fee-receiving account, leading to their rapid extraction [1].

Deebeez explained that the

0x
swapper is not intended for token approvals, and the same vulnerability had previously caused issues with Zora claims on the Base network. “This swapper allows users to make arbitrary calls,” he noted [1]. In this case, the misconfigured approval acted as a trapdoor, enabling the MEV bot to drain the account of all accumulated tokens. “Their dream came true thanks to Coinbase,” Deebeez added [1].

Philip Martin, Coinbase’s Chief Security Officer, confirmed the incident was an isolated event caused by a recent modification to one of the company’s corporate decentralized exchange (DEX) wallets. This led to unauthorized token transfers but did not impact customer assets [1]. Martin stated that the exchange has since revoked all problematic token allowances and migrated its holdings to a new corporate wallet to prevent further losses [1].

This incident follows a separate insider-driven data breach in 2023, which compromised the personal information of nearly 70,000 users and led to attempted extortion of $20 million in

Bitcoin
. The attackers also used the stolen data to impersonate Coinbase staff in complex social engineering schemes, resulting in the theft of millions of dollars. In response, Coinbase has since strengthened its internal security protocols and terminated employees involved in the breach [1].

The latest incident highlights the ongoing challenges exchanges face in managing smart contract risks and mitigating exploitation by sophisticated MEV strategies. While Coinbase has taken steps to secure its systems, the event serves as a reminder of the importance of rigorous code audits and proper configuration controls in decentralized finance (DeFi) environments.

Source: [1] Coinbase loses $300k to rogue MEV bots after token swap blunder (https://cryptoslate.com/coinbase-loses-300k-to-rogue-mev-bots-after-token-swap-blunder/)

Comments



Add a public comment...
No comments

No comments yet