Coinbase lost approximately $300,000 in token fees due to mistakenly approving assets to the 0x Project smart contract, allowing a maximum extractable value (MEV) bot to withdraw those funds.
Deebeez, a security researcher at Venn Network, pointed out this incident in a post on Wednesday. He explained that Coinbase's corporate wallet interacted with the 0x 'swap' contract, a permissionless tool designed to execute swaps, but it should not have received token approvals.
Because anyone can call the contract to perform arbitrary operations, granting approvals can immediately lead to asset theft. The researcher pointed out that this swap had previously encountered a similar issue during the Zora statement on Base, allowing malicious actors to extract funds without exploiting code vulnerabilities.
Screenshots shared by Deebeez show that Coinbase approved tokens including Amp, MyOneProtocol, DEXTools, and Swell Network on Wednesday afternoon. Subsequently, an MEV bot called the swap contract, transferring the approved tokens from Coinbase's fee receiving account to its address.
The lurking MEV bot
Deebeez stated that the MEV bot extracting Coinbase funds had been 'lurking in the shadows', waiting for users to mistakenly approve contracts to withdraw all funds. 'Thanks to Coinbase, their dreams came true,' the researcher wrote.
Coinbase's Chief Security Officer Philip Martin confirmed the incident, calling it an 'isolated incident' related to a configuration change of a certain DEX wallet of the company.
'Customer funds were not affected,' Martin stated, adding that Coinbase has revoked token permissions and moved the remaining funds to a new corporate wallet.
