Coinbase has lost approximately $300,000 in token fees after a misconfigured interaction with a 0x Project smart contract allowed MEV bots to drain funds from a corporate wallet.
Key Takeaways
- 1Coinbase approved tokens to the 0x “swapper” contract, which is not designed to hold approvals.
- 2MEV bots exploited the oversight to drain around $300,000 in token fees from a corporate wallet.
- 3No customer funds were affected, according to Coinbase’s chief security officer.
- 4The issue stemmed from a configuration change in Coinbase’s decentralized exchange (DEX) wallet setup.
What Happened?
A Coinbase corporate wallet mistakenly granted token spending rights to a 0x Project smart contract called “swapper.” This misstep made the wallet vulnerable to maximal extractable value (MEV) bots, which quickly exploited the contract’s open nature to transfer out the approved tokens. Coinbase confirmed the loss, totaling about $300,000, and stated that no customer funds were involved.
MEV Bots Seize the Moment
The exploit was first reported by Deeberiroz, a security researcher at Venn Network, who identified the vulnerable contract interaction on social media. The issue arose when Coinbase approved tokens like Amp, MyOneProtocol, DEXTools, and Swell Network to the 0x “swapper” contract. Although the contract is designed to execute token swaps, it is not built to handle approvals, making it a security risk when permissions are granted.
Looks like @coinbase was recently drained of ~$300,000 after using @0xProject swapper incorrectly.
,deebeez (@deeberiroz) August 13, 2025
They approved all the tokens accrued as fees to their router, getting drained immediately by MEV bots 🧵 pic.twitter.com/yWNHl8nupg
Once the token approvals went live, a lurking MEV bot instantly called the contract, draining the fee receiver account linked to Coinbase. The researcher noted this was not a flaw in the smart contract code but rather a misconfiguration on Coinbase’s part. Because the contract is permissionless, anyone could execute it and move tokens without restriction.
Coinbase Reacts Quickly
Coinbase’s chief security officer Philip Martin confirmed the exploit, attributing it to a recent configuration change in one of the company’s corporate DEX wallets. He labeled it an “isolated issue” and assured that all customer assets remain secure.
In response to the incident, Coinbase revoked the token allowances and moved the remaining funds to a new corporate wallet. The move was designed to prevent further exposure and lock down access to vulnerable assets.
History of MEV Exploits
This latest incident highlights how MEV bots remain a persistent threat in the crypto ecosystem. These bots often exploit transaction timing and smart contract vulnerabilities to gain profits by front-running or reordering blockchain operations.
- In April, a similar MEV bot lost $180,000 in ETH after an attacker exploited its access control system.
- In 2023, a rogue validator hijacked sandwich trades to steal over $25 million in assets including WBTC, USDC, DAI, and WETH.
Even though the $300,000 loss is minor for a company the size of Coinbase, it underscores how vigilance and proper contract interaction protocols remain essential, especially in decentralized environments.
CoinLaw’s Takeaway
I think this is a classic example of how even top-tier platforms like Coinbase can slip up in the fast-moving world of DeFi. One overlooked configuration exposed them to bots waiting in the shadows. While $300,000 might not break the bank for Coinbase, the real cost is reputational. It reminds me (and hopefully other crypto users) that even permissionless tools need tight access controls and internal policies. Always double-check smart contract interactions, especially in corporate or high-volume wallets.
