Coinbase lost roughly $300,000 in token fees after accidentally approving assets to a 0x Project smart contract, allowing a maximal extractable value (MEV) bot to drain the funds.
Deebeez, a security researcher at Venn Network, highlighted the incident in a Wednesday post on X. He explained that Coinbase’s corporate wallet interacted with 0x’s “swapper” contract—a permissionless tool intended for executing swaps, but not for receiving token approvals.
Because anyone can call the contract to perform arbitrary actions, granting approvals can leave assets vulnerable to immediate theft. “This same swapper is known to have had issues with Zora claims on Base,” Deebeez noted, pointing to past cases where the contract setup allowed malicious actors to extract funds without exploiting code vulnerabilities.
Screenshots shared by the researcher showed Coinbase approving tokens including Amp, MyOneProtocol, DEXTools, and Swell Network on Wednesday afternoon. Shortly after, an MEV bot used the swapper contract to transfer the approved tokens from Coinbase’s fee receiver account to its own addresses.
MEV bot lurking in the dark
Deebeez noted that the MEV bot responsible for draining Coinbase’s funds had been “lurking in the dark,” waiting for users to mistakenly approve the contract and allow it to seize their assets. “Their dream came true thanks to Coinbase,” the researcher wrote.
He added that the incident, which emptied the Coinbase fee receiver account of all its tokens, served as an “expensive lesson” for the team.
Coinbase’s chief security officer, Philip Martin, confirmed the event, calling it an “isolated issue” caused by a configuration change in one of the exchange’s corporate DEX wallets.
“No customer funds were affected,” Martin said, noting that Coinbase revoked the token approvals and transferred the remaining assets to a new corporate wallet.
MEV Bot Attack Drains $180,000 in Ether
In April, a MEV bot suffered a loss of $180,000 in Ether after an attacker exploited a flaw in its access control system. The attacker reportedly swapped the bot’s ETH for a worthless token using a malicious pool created within the same transaction.
A similar incident occurred in 2023, when a rogue validator targeted MEV bots attempting “sandwich trades,” stealing $25 million in digital assets, including WBTC, USDC, USDT, DAI, and WETH.
