Coinbase Loses $300,000 in Token Fees Due to 0x Swapper Contract Error
Aime SummaryCoinbase recently suffered a $300,000 loss in token fees due to a misconfigured smart contract approval involving the 0xZRX-- Project’s “swapper” contract [1]. The corporate wallet mistakenly approved tokens to the swapper, a permissionless tool designed for executing trades rather than receiving approvals, which enabled an MEV (Maximal Extractable Value) bot to quickly transfer the assets [2]. The incident was flagged by security researcher Deebeez, who noted that the swapper had previously been involved in similar issues, such as those related to Zora claims on the Base chain [1].
The 0x swapper, in this case, acted as a conduit for the MEV bot to siphon approved tokens including AmpAMP--, MyOneProtocol, DEXTools, and Swell Network from Coinbase’s fee receiver account [1]. Screenshots provided by Deebeez showed the timing and nature of the approvals, followed by the swift transfer of assets to the bot’s addresses [2]. The bot, described as having “lurked in the dark” waiting for such an opportunity, was able to exploit the configuration change and drain the account of its contents [1].
Philip Martin, Coinbase’s chief security officer, confirmed the incident, calling it an “isolated issue” tied to a recent configuration adjustment in a corporate DEX wallet [3]. He assured that no customer funds were affected and that the company had since revoked the problematic token approvals and relocated the remaining assets to a new corporate wallet [2].
This incident underscores the risks associated with smart contract approvals in the DeFi space, where even a minor misstep can lead to substantial financial loss. MEV bots are known for exploiting such opportunities at high speed, often before human intervention is possible [1]. The event echoes past MEV bot-related incidents, including a $180,000 Ether loss in April and a $25 million theft in 2023 involving sandwich trades [1].
The loss, while significant, does not reflect a broader security failure but highlights the need for continuous vigilance in managing corporate assets on public blockchains. For an exchange like CoinbaseCOIN--, which is frequently viewed as a benchmark for security and compliance, the event serves as a rare but necessary reminder of the challenges inherent in the DeFi environment [3].
Source:
[1] Coinbase loses $300K token fees in 0x contract error - Cointelegraph (https://cointelegraph.com/news/coinbase-0x-contract-error-mev-bot-300k-loss)
[2] Coinbase loses $300K token fees in 0x contract error - advfn.com (https://mx.advfn.com/bolsa-de-valores/COIN/BTCUSD/crypto-news/96634044/expensive-lesson-coinbase-loses-300k-token-f)
[3] Coinbase Smart Contract Blunder: A $300K Loss And ... - BitcoinBTC-- World (https://bitcoinworld.co.in/coinbase-smart-contract-blunder/)
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet