MEV bots took advantage of the situation by draining the wallet after Coinbase mistakenly approved tokens to a swapper contract.
Crypto exchange Coinbase lost roughly $300,000 in token fees after a misconfigured interaction with decentralized exchange protocol 0x’s “swapper” contract allowed MEV bots to siphon funds from one of its corporate wallets.
Coinbase’s chief security officer Philip Martin confirmed the mishap and called it an “an isolated issue” tied to a change in one of the exchange’s corporate DEX wallets. He stressed that no customer funds were affected, per an X post.
Security researcher “deeberiroz” of Venn Network first flagged the exploit on Wednesday, saying Coinbase mistakenly approved tokens to the swapper contract — a permissionless tool designed for executing swaps but not intended to hold token allowances.
That setup opened the door for opportunistic MEV bots, which immediately drained the wallet once approvals were live.
MEV, or “maximal extractable value,” refers to the practice of front-running or reordering blockchain transactions to capture profits, or in this case, executing transfers before Coinbase could revoke access.
“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract — and then drain all their funds,” the researcher wrote on X. “Well, their dream came true thanks to Coinbase … They made a killing by draining the Coinbase fee receiver account of all the tokens they gathered.”
Because the contract can be accessed by anyone, the bots were able to call it (a software term requesting services from another program) to transfer out the approved tokens directly to their own addresses.
While $300,000 is immaterial for Coinbase, the breach shows how even leading exchanges are vulnerable to small but sophisticated forms of automated trading exploitation.
MEV bots have long been a fixture in Ethereum and other blockchain ecosystems, profiting from token launches, NFT mints, and liquidity events by exploiting memepool visibility and transaction reordering.
In this case, the bots simply waited for a high-value wallet — like Coinbase’s fee receiver — to mistakenly grant spending rights to an exposed contract, then executed the drain instantly.
