On August 13, 2025, Coinbase, a major cryptocurrency exchange, lost over $300,000 in token fees because of a botched interaction with a 0x Project smart contract. This event, which security researcher Deebeez from Venn Network brought to light, shows how weak decentralized finance (DeFi) platforms are and how dangerous it is to set up smart contracts incorrectly.
Fortunately, the incident did not result in any loss of client money, but it caused significant financial damage to one of the largest companies in the industry.
The situation resulted from Coinbase’s corporate wallet wrongly approving tokens, including Amp, MyOneProtocol, DEXTools, and Swell Network, to a 0x “swapper” contract. The purpose of this permissionless mechanism is to facilitate token trading, not to maintain token approvals.
Because it is open, anyone can call the contract to do whatever they want, which means that unauthorized access might lead to theft immediately. Deebeez said that similar problems had happened before with Zora claims on the Base Layer 2 network, showing that these kinds of arrangements are always vulnerable.
An MEV (Maximal Extractable Value) bot took advantage of the mistake soon after Coinbase gave these authorizations. The bot, which was said to be “lurking in the dark,” quickly called the swapper contract and moved the approved tokens from Coinbase’s fee receiver account to its addresses. This quick theft took all the tokens from the wallet, costing $300,000.
Philip Martin, Coinbase’s Chief Security Officer, said that the event was an “isolated issue” related to a modification in the settings of one of the exchange’s corporate DEX wallets. Martin emphasized that the loss of customer assets was crucial for Coinbase’s users.
To fix the breach, Coinbase quickly revoked the token allowances and moved the rest of the money to a new corporate wallet to prevent further losses. The business also promised to improve its security measures so that mistakes like this don’t happen again.
This event shows how MEV bots are still a threat since they use transaction ordering and mempool visibility to profit from mistakes or inefficiencies. Similar occurrences, including the theft of $25 million in 2023 and the loss of $180,000 in Ether in April 2025, show how these bots are getting better at targeting systems that aren’t correctly configured.
This $300,000 loss for Coinbase, a major player in the crypto field, is slight compared to its whole business, but it shows how important it is to be careful while dealing with DeFi.
The Coinbase mistake is a potent reminder of how important it is to double-check how smart contracts are set up. As Deebeez put it, this was an “expensive lesson” for Coinbase that showed the pitfalls of permissionless contracts in DeFi.
The case also shows how important it is for companies to have strong internal mechanisms to protect their wallets and stop fraudulent payments. As the crypto sector evolves, exchanges and consumers alike must prioritize security to prevent the ever-present threat of automated vulnerabilities.
