Coinbase, the largest US-based cryptocurrency exchange, lost approximately $300,000 in tokens due to a faulty interaction with 0xProject's "swapper" contract. The incident was reportedly caused by a misconfiguration in one of the exchange's institutional wallets, and MEV bots, seizing the opportunity, activated and drained the funds.
Anonymous security researcher Deebeez revealed on X (formerly Twitter) that Coinbase had granted token approval to the 0x "swapper" contract. This permission, normally used for token swaps, gave the contract unlimited token transfer authority. This vulnerability caused the MEV bots to withdraw all the tokens accumulated from transaction fees from Coinbase's router address.
The researcher stated, "There were MEV bots waiting for users who mistakenly approved this contract. Thanks to Coinbase, their dream has come true."
Coinbase Statement
Coinbase Security Director Philip Martin stated that the incident was an isolated incident and was caused solely by a change to an institutional DEX wallet. Martin explained that customer assets were unaffected, all token permissions were revoked, and funds were moved to a new corporate wallet.
This incident marks the second major security issue the exchange has faced in recent months. Previously, there was an insider data breach that leaked the personal information of approximately 70,000 users, and the perpetrators reportedly demanded $20 million in Bitcoin. Following that incident, Coinbase announced that it had tightened its security protocols and terminated the employment of the relevant employees.
The Role of MEV Bots
MEV (maximal extractable value) bots are automation tools that profit by reordering or prioritizing blockchain transactions. While these bots typically target token launches, NFT mints, and liquidity events, in this case, Coinbase profited by withdrawing all funds from the corporate wallet after a faulty approval process.
According to experts, such attacks could be an example of "composability attacks," a new class of risk on the blockchain. In composability attacks, the unexpected interaction of individually secure smart contracts can create a security vulnerability. A similar incident occurred previously with the 0x contract, where a project called Zora lost $128,000 in ETH.
Although the incident did not affect customer assets, the occurrence of such an error, despite Coinbase's size, sparked criticism on social media. Some users argued that the exchange's recent technical issues and controversial token listings had damaged its credibility.
According to market data, Coinbase is the ninth-largest cryptocurrency exchange in the world and the largest in the US, with a 5.8% share of global trading volume.
