Coinbase recently took a hit, losing about $300,000. This loss came from tokens the company had gathered as fees. The problem wasn’t a hacking attack in the usual sense. Instead, automated programs known as MEV bots quickly grabbed the funds. They capitalized on a setup error within a contract from the 0x protocol.
This costly slip was first spotted by a security researcher named “deeberiroz” from Venn Network. The researcher shared details, explaining how Coinbase had lost thousands of dollars in accumulated fee tokens. It all started when the exchange wrongly gave approval for certain tokens to be spent. These tokens included Amp, MyOneProtocol, DEXTools, and Swell Network. Coinbase sent these approvals to a “swapper” contract from 0x one Wednesday afternoon.
Looks like was recently drained of ~$300,000 after using swapper incorrectly.
They approved all the tokens accrued as fees to their router, getting drained immediately by MEV bots 🧵 pic.twitter.com/yWNHl8nupg
— deebeez (@deeberiroz)
The swapper contract is built for exchanges that don’t need special permissions. Anyone can use it without restrictions. However, this type of contract is not supposed to hold token approvals. Keeping approvals there can leave funds open to risk. Because no special permissions were needed, any entity could interact with the contract. MEV bots quickly moved in. They transferred the approved tokens from a Coinbase corporate wallet directly to their own addresses.
A Specific Glitch
Philip Martin, Coinbase’s security director, confirmed the incident on social media. He called it a “problem isolated” to a recent change in one of the company’s decentralized exchange (DEX) corporate wallets. Martin stressed that customer funds were safe. Coinbase acted fast. They canceled the token approvals and moved any remaining assets to a new wallet. While $300,000 is a small sum for a company Coinbase’s size, this event shows something important. Even leading platforms can fall victim to smart attacks.
Understanding MEV Bots
MEV stands for Maximum Extractable Value. It’s a key idea in blockchains like Ethereum. It refers to a method where automated bots, often run by validators, reorder, add, or stop transactions in the mempool. The mempool is like a waiting area for pending transactions. Bots do this to make the most money.
Essentially, MEV bots are always looking for arbitrage opportunities. They execute trades before others to profit from price differences. In this case, they took advantage of a wrong setup. These bots were “lurking” on the network. They watched for high-value approvals. The moment Coinbase gave spending rights to an exposed contract, the bots sprang into action. They completed instant transfers. This happened before Coinbase could block access, scooping up the funds in seconds.
The 0x “swapper” contract is a decentralized tool for peer-to-peer trades. It has been involved in similar issues before. For example, there were problems with claims during the Zora airdrop on the Base network. Coinbase helped develop the Base network.
These types of bots are common in blockchain systems. They use the public nature of pending transactions to make money. This happens during things like token launches, NFT mints, or when people add liquidity. This incident isn’t the first to highlight the risks of MEV. Many criticize the practice because it can create unfairness in decentralized networks. But it also pushes for new solutions, like “flashbots,” to lessen its negative effects. For Coinbase, this event is a strong reminder. It shows the need for very careful checks on how they interact with DeFi protocols, even for their own internal operations.