Crypto exchange Coinbase lost roughly $300,000 in token fees after a misconfigured interaction with decentralized exchange protocol 0x’s “swapper” contract allowed MEV bots to siphon funds from one of its corporate wallets.

Coinbase’s chief security officer Philip Martin confirmed the mishap and called it an “an isolated issue” tied to a change in one of the exchange’s corporate DEX wallets. He stressed that no customer funds were affected, per an X post.

Security researcher “deeberiroz” of Venn Network first flagged the exploit on Wednesday, saying Coinbase mistakenly approved tokens to the swapper contract — a permissionless tool designed for executing swaps but not intended to hold token allowances.

That setup opened the door for opportunistic MEV bots, which immediately drained the wallet once approvals were live.

MEV, or “maximal extractable value,” refers to the practice of front-running or reordering blockchain transactions to capture profits, or in this case, executing transfers before Coinbase could revoke access.

“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract — and then drain all their funds,” the researcher wrote on X. “Well, their dream came true thanks to Coinbase … They made a killing by draining the Coinbase fee receiver account of all the tokens they gathered.”

Because the contract can be accessed by anyone, the bots were able to call it (a software term requesting services from another program) to transfer out the approved tokens directly to their own addresses.

While $300,000 is immaterial for Coinbase, the breach shows how even leading exchanges are vulnerable to small but sophisticated forms of automated trading exploitation.

MEV bots have long been a fixture in Ethereum and other blockchain ecosystems, profiting from token launches, NFT mints, and liquidity events by exploiting memepool visibility and transaction reordering.

In this case, the bots simply waited for a high-value wallet — like Coinbase’s fee receiver — to mistakenly grant spending rights to an exposed contract, then executed the drain instantly.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。