Earlier today, on 14th August, Coinbase suffered a $300,000 loss in accumulated token fees after a misconfigured interaction with the 0x Project’s “swapper” contract exposed its corporate DEX wallet to exploitation by a malicious MEV bot.
The incident was first revealed by security researcher “deeberiroz” from Venn Network, who posted details on X, including blockchain transaction data showing that Coinbase mistakenly approved tokens to the permissionless swapper contract.
The smart contract, designed for executing token swaps without ownership restrictions, was never meant to receive direct token approvals.
The vulnerability allowed an MEV bot to quickly drain the wallet of approved assets, including tokens such as Amp, MyOneProtocol, DEXTools, and Swell Network.
How the Exploit Happened
The swapper contract’s permissionless nature means that anyone can call it to execute arbitrary transactions, which makes it a flexible tool for decentralized trading, but also a potential risk if misused.
Coinbase’s misstep occurred at around 3:21pm, when token approvals were granted to the swapper address, essentially giving any actor with knowledge of the approval the ability to transfer those tokens.
MEV bots, programs designed to extract value from blockchain transactions, are known to scan mempools for such opportunities.
According to Deeberiroz, one such bot was “lurking” and waiting for mistaken approvals.
Once Coinbase’s corporate wallet became exposed, the bot executed transfers via the swapper contract, siphoning all authorized tokens to its own address within minutes.
Also Read: Arbitrum-Based GMX Suffers Major $42 Million Crypto Hack: What Happened?
Coinbase Confirms and Responds to the Breach
Philip Martin, Chief Security Officer at Coinbase Global, confirmed the researcher’s findings on X, clarifying that the breach was an “isolated issue” caused by a configuration change in one of Coinbase’s corporate DEX wallets, and no customer funds were affected.
He emphasized that no customer funds were affected, as the loss came from Coinbase’s own fee revenue wallet.
Coinbase took action by revoking all token allowances associated with the swapper contract and transferring leftover assets to a new secure corporate wallet.
The quick action, while limiting further damage, still illustrates how even major exchanges can become the victims of exploits by advanced automated trading bots when operational misconfigurations exist.
Also Read: Fuzzland Reveals Former Employee Was Responsible for the $2 Million Bedrock UniBTC Crypto Hack
Broader Context: MEV Bot Exploits on the Rise
This is not the first time MEV bots have been implicated in high-profile losses within the decentralized finance (DeFi) sector.
According to UnoCrypto news, on March 13th, a trader on Uniswap V3 lost over $215,000 in a flash “sandwich attack”, an MEV strategy that manipulates transaction ordering to extract value, during a stablecoin swap.
Also, we reported that Venus Protocol on the BNB Chain was hacked for $2 million through a smart-contract exploit involving MEV bots and weak permission settings on June 25th.
More recently, on August 7th, we reported that scammers had used fake MEV bot contracts and advanced obfuscation techniques to trick crypto users into deploying malicious code, stealing over $1 million.
These incidents underscore the increasing sophistication and prevalence of MEV-related exploits.
Also Read: Uniswap Stablecoin Exchange Hit by Flash “Sandwich Attack” as Traders Lose Over $215,000 In Seconds