Coinbase Loses $300K After 0x Swapper Contract Misconfiguration Lets MEV Bots Drain Wallet

Generated by AI AgentCoin World
Thursday, Aug 14, 2025 1:51 am ET1min read
COIN
--
ETH
--
ZRX
--
Aime RobotAime Summary

- Coinbase lost $300,000 in token fees after a 0x swapper contract misconfiguration enabled MEV bots to drain a corporate wallet.

- The error occurred when Coinbase mistakenly granted spending rights to a contract designed for swaps, not token storage.

- Chief Security Officer Philip Martin called it an "isolated issue," stressing no customer funds were compromised.

- Security researcher "deeberiroz" highlighted how bots exploited the misstep by rapidly transferring approved tokens before access revocation.

- The incident underscores MEV bot risks in blockchain ecosystems, where automated strategies profit from transaction order manipulation.

Coinbase, one of the largest cryptocurrency exchanges, lost approximately $300,000 in token fees due to a misconfigured interaction with the

0x
protocol’s “swapper” contract, which inadvertently allowed MEV bots to exploit a corporate wallet [1]. The incident occurred when
Coinbase
mistakenly granted spending rights to the swapper contract, which is designed to execute token swaps but not to store token allowances. Once the approval was live, the bots quickly drained the wallet of all approved tokens [1].

Philip Martin, Coinbase’s chief security officer, confirmed the issue in a post on X, describing it as an “isolated issue” related to a change in one of the exchange’s corporate decentralized exchange (DEX) wallets. He emphasized that no customer funds were affected [1]. The exploit was first identified by security researcher “deeberiroz” of Venn Network, who posted about it on the platform. The researcher noted that the bots were essentially waiting for a high-value account like Coinbase’s fee receiver to make such an error before initiating the drain [1].

The swapper contract, being permissionless, allowed the MEV bots to call it and transfer the approved tokens directly to their own addresses. MEV, or “maximal extractable value,” typically involves bots that front-run or reorder blockchain transactions to extract profit. In this case, they executed transfers before Coinbase could revoke access [1]. The breach highlights the vulnerabilities that even major exchanges can face due to automated trading strategies and the complexity of smart contract interactions [1].

While the loss is relatively minor for a firm of Coinbase’s size, the incident underscores the risks associated with MEV bots in blockchain ecosystems. These bots have long been a presence in

Ethereum
and other networks, profiting from events like token launches and liquidity operations by leveraging memepool visibility and transaction order manipulation [1]. In this case, the bots acted swiftly upon the misstep, executing the drain instantly [1].

Source: [1] Coinbase Loses $300K in MEV Exploit After Misstep With 0x Swapper Contract (https://www.coindesk.com/markets/2025/08/14/coinbase-loses-usd300k-in-mev-exploit-after-misstep-with-0x-swapper-contract)

Comments



Add a public comment...
No comments

No comments yet