Coinbase loses $300,000 after wallet misstep enables MEV bot drain

Coinbase recently suffered an unexpected loss of ~$300,000 because of a misconfiguration involving the 0x protocol’s swapper contract. According to an X post by security researcher “deeberiroz” of Venn Network, the incident occurred when Coinbase mistakenly granted token spending permissions to the swapper. This ideally is a contract intended solely for facilitating trades, and does not hold allowances. 

MEV (Maximal Extractable Value) bots were quick to detect this error and immediately drained the wallet before permissions could be revoked. Coinbase’s Chief Security Officer, Philip Martin, confirmed this was an isolated issue tied to a corporate decentralized trading wallet. He assured that no customer funds were impacted in the incident. The firm promptly revoked the approvals and shifted remaining assets into a more secure wallet setup.

What Is the 0x Swapper and how does It work?

The 0x swapper contract is a decentralized exchange (DEX) component designed to facilitate token swaps. It operates without permission, meaning anyone can call it to execute trades. But it should never be granted token allowances. Coinbase’s misconfiguration allowed the contract temporary access to tokens, which MEV bots exploited immediately.

In this case, the bots patiently monitored for a high-value wallet, such as Coinbase’s fee collector. And then accidentally authorize an exposed contract, which MEV bots then exploited due to the compromise, to drain the funds.

Also read: Coinbase relaunches stablecoin funding initiative after five year hiatus, here’s why

MEV bots are notorious for exploiting various on-chain inefficiencies. There are instances of bots reordering or inserting transactions in DEX environments to profit, often paying higher gas fees to jump ahead. Another analysis shows that over $3.88 million in losses have been reported from unfair trade executions, all of these were tied to extractable value strategies.