Coinbase, the largest US-based exchange, has reportedly lost $300,000 to MEV bots following a misconfiguration involving 0xProject’s token swap platform.
On Aug. 13, pseudonymous security researcher Deebeez revealed that Coinbase mistakenly used the 0x swapper to approve tokens, a function it was never designed for.
He noted:
“0x has a swapper which is never meant to get approvals This same swapper is known to have had issues with Zora claims on Base, since it allows users to have it make arbitrary calls.”
According to him, this approval granted unlimited access to the tokens accrued as fees in the exchange’s router, creating an opening for exploitation.
As a result of this oversight, the MEV bots drained Coinbase’s fee receiver account of all accumulated tokens.
He added:
“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract – and then drain all their funds. Well, their dream came true thanks to Coinbase.”
Coinbase’s response
Coinbase Chief Security Officer Philip Martin confirmed the breach was an isolated event.
According to Martin, the incident stemmed from a recent change to one of the company’s corporate decentralized exchange (DEX) wallets, which led to unauthorized token transfers.
Meanwhile, he stressed that the incident impacted no customer assets.
Martins added that the exchange has since revoked token allowances and moved its holdings to a new corporate wallet to prevent further losses.
This security incident follows an insider-driven data breach that exposed the personal information of nearly 70,000 users.
Coinbase reported that the perpetrators attempted to extort $20 million in Bitcoin. They also used the stolen data to impersonate company staff in sophisticated social engineering schemes, which reportedly led to the theft of millions of dollars.
Since then, Coinbase said it has strengthened its security protocols to prevent future attacks and terminated the employees implicated in the breach.
