Coinbase Loses $300,000 Due to Erroneous Token Approval
Coinbase recently lost approximately $300,000 in token fees after approving assets to a 0x Project smart contract, which resulted in a maximal extractable value (MEV) bot draining funds from the exchanges fee wallet. The incident was disclosed by security researcher Deebeez from Venn Network in a post on X on Wednesday.
Approval Error Allowed Immediate Fund Drain
The event involved Coinbases corporate wallet interacting with 0x's 'swapper' contracta permissionless tool designed for token swaps but not intended to receive token approvals. According to Deebeez, approving tokens to this type of contract exposes assets to unauthorized transfers, as anyone can call the contract to move funds, even without finding code vulnerabilities.
Screenshots provided by Deebeez showed that Coinbase granted approvals for several tokens, such as Amp, MyOneProtocol, DEXTools, and Swell Network. Shortly after these approvals, an MEV bot executed a transaction that transferred the approved tokens from Coinbases fee receiver account to its own addresses.
Past Vulnerabilities and Incident Response
The 0x swapper contract has reportedly led to similar issues before, including incidents involving Zora claims on Base, according to the researcher. Deebeez stated that entities monitoring the contract had been waiting for users to make such approval errors, allowing for immediate fund extraction when mistakes were made.
Coinbase's chief security officer, Philip Martin, described the event as an isolated issue arising from a configuration change in one of Coinbases corporate decentralized exchange wallets. He clarified, No customer funds were affected. The exchange promptly revoked the token allowances and migrated any remaining funds to a new wallet.
Context: MEV Attacks Remain a Risk
Incidents involving MEV bots have become more common as DeFi operations grow more complex. In April, a separate MEV bot lost funds after its access control system was exploited, resulting in the loss of substantial ETH swapped for worthless tokens. In another instance in 2023, a rogue validator exploited sandwich trades, stealing about $25 million across several digital assets.
Coinbase's experience highlights ongoing risks for crypto companies when handling smart contract permissions, especially when using decentralized platforms and tools designed for open interactions. Security experts advise reviewing all external approvals and maintaining strict operational controls to reduce exposure.
Related content
Comments
