'Expensive Lesson': Coinbase Loses $300K Token Fees in 0x Contract Error

Coinbase, one of the largest cryptocurrency exchanges in the world, has suffered a significant loss after mistakenly approving assets to a 0x Project smart contract, allowing a maximal extractable value (MEV) bot to drain its corporate wallet. The incident, which was revealed by security researcher Deebeez from Venn Network, resulted in Coinbase losing approximately $300,000 in token fees.

The error occurred when Coinbase's corporate wallet interacted with 0x's "swapper" contract, a permissionless tool designed to execute swaps but not to receive token approvals. The swapper contract is known to have had issues with Zora claims on Base, and its use can expose assets to immediate theft due to the lack of security checks.

"This same swapper is known to have had issues with Zora claims on Base," Deebeez wrote in his post on X. "Since anyone can call the contract to perform arbitrary actions, granting approvals can expose assets to immediate theft." The researcher shared screenshots that showed Coinbase granting approvals for tokens including Amp, MyOneProtocol, DEXTools, and Swell Network on Wednesday afternoon.

Soon after, an MEV bot called the swapper contract to transfer the approved tokens from Coinbase's fee receiver account into its addresses. This drained all the funds from the corporate wallet, leaving the exchange with a significant loss. Deebeez said that the MEV bot had been "lurking in the dark," waiting for users to mistakenly approve the contract to drain all their funds.

"Their dream came true thanks to Coinbase," the researcher wrote. "The incident, which drained the Coinbase fee receiver account of all its tokens, was an expensive lesson for the team." The researcher emphasized that this incident highlights the importance of security measures and the need for users to be cautious when interacting with smart contracts.

Coinbase chief security officer Philip Martin confirmed the incident, describing it as an "isolated issue" linked to a configuration change in one of the exchange's corporate DEX wallets. He stated that no customer funds were affected, adding that Coinbase revoked the token allowances and moved remaining funds to a new corporate wallet.

This incident is not an isolated case, however. MEV bot exploits have become increasingly common, with recent cases involving significant losses. In April, a MEV bot lost $180,000 in Ether (ETH) after an attacker exploited a vulnerability in its access control system. Another incident in 2023 saw a rogue validator steal $25 million in digital assets using MEV bots.

These incidents demonstrate the importance of staying vigilant and taking proactive measures to protect oneself from potential security threats. As the cryptocurrency market continues to evolve, it is crucial for users and exchanges alike to prioritize security and ensure that all necessary precautions are taken to prevent similar incidents in the future.