Coinbase mistakenly authorized assets to the 0x Project smart contract, resulting in approximately $300,000 in token fees being taken by a maximum extractable value (MEV) bot.

Venn Network security researcher Deebeez pointed out this incident in a post on the X platform on Wednesday. He stated that Coinbase's corporate wallet interacted with the 0x "swapper" contract, which is a permissionless exchange tool designed to execute swap operations but should not be used for token authorization.

Since anyone can call this contract to perform any operation, the authorization could immediately put the assets at risk of theft. "This swapper has previously encountered issues during the Zora claim on the Base chain," the researcher wrote, linking to previous cases where funds were extracted using this mechanism without exploiting contract vulnerabilities.

Screenshots shared by Deebeez show that Coinbase authorized tokens such as Amp, MyOneProtocol, DEXTools, and Swell Network on Wednesday afternoon. Subsequently, an MEV bot called the swapper contract, transferring the authorized tokens from Coinbase's fee receiving account to its own address.

Deebeez stated that the MEV bot that drained Coinbase's funds had been "lying in wait," looking for users to mistakenly authorize the contract, thereby emptying all funds. "Thanks to Coinbase, they got what they wanted," the researcher wrote.

The researcher also mentioned that this incident emptied all tokens in Coinbase's fee receiving account, serving as an "expensive lesson" for the team.

Coinbase Chief Security Officer Philip Martin confirmed the incident, stating that it was due to an "isolated issue" caused by a configuration change in the company's decentralized exchange (DEX) wallet.

Martin stated, "No customer funds were affected," and added that Coinbase has revoked the token authorization and transferred the remaining funds to a new corporate wallet.

In April of this year, an MEV bot lost $180,000 in Ether (ETH) due to an attacker exploiting a vulnerability in its access control system. It was reported that the attacker exchanged the bot's ETH for worthless tokens through a maliciously created liquidity pool in the same transaction.

Similar incidents occurred in 2023, where a malicious validator exploited a vulnerability during an MEV bot's "sandwich trading" attempt, stealing digital assets worth $25 million, including WBTC (WBTC), USDC (USDC), USDt (USDT), DAI (DAI), and WETH (WETH).

Related: Fundstrat: Ethereum (ETH) will become the "best macro trading target" in the next 10-15 years.

Original article: “Expensive Lesson”: Coinbase Loses $300,000 in Token Fees Due to 0x Contract Vulnerability

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。