Key Takeaways
- An MEV bot exploited a 0x swapper error to drain $300,000 from Coinbase’s corporate DEX wallet.
- The loss stemmed from misconfigured token approvals on the 0x Project’s swapper contract.
- Coinbase confirmed no customer funds were affected, and the issue has been contained.
A misconfigured token approval to the 0x Project’s swapper contract allowed an MEV (Maximal Extractable Value) bot to drain approximately $300,000 from a Coinbase corporate DEX wallet.
The error effectively handed the attacker spending rights over fee-accrued tokens, which were immediately pulled on-chain.
Top Crypto Wallets
Sponsored
Disclosure
We sometimes use affiliate links in our content, when clicking on those we might receive a commission at no extra cost to you. By using this website you agree to our terms and conditions and privacy policy.
DISCLAIMER:
Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more.
What Went Wrong
The 0x swapper contract is a permissionless, stateless router for token swaps — not a token vault.
By design, it shouldn’t hold approvals, as anyone can call it and execute arbitrary swaps using pre-approved tokens.
In this case, Coinbase’s corporate wallet — which collects protocol fees — mistakenly granted approval for accrued tokens to the swapper.
Once approved, MEV searchers detected the allowance in the mempool, built profitable bundles around it, and executed transactions that drained the wallet.
The contract’s open-access nature made the attack trivial: no private key compromise was needed, just the right call to a contract already authorized to spend tokens.
The absence of anti-MEV or slippage protections meant the wallet was fully exposed.
Expert Warning
Security researcher Dee Beez flagged that the same 0x swapper had previously been abused in Base’s Zora claim flow, warning that “this swapper is never meant to get approvals.”
It allows arbitrary external calls, meaning that once approvals are set, any actor — including MEV bots — can route transactions to drain funds.
Coinbase’s Response
Philip Martin, Coinbase’s Chief Security Officer, confirmed the loss was limited to a corporate DEX wallet and no customer funds were at risk.
Coinbase has since revoked token allowances and migrated remaining assets to a hardened wallet configuration.
MEV extraction remains one of DeFi’s most persistent attack surfaces. In 2021, a Uniswap V3 sandwich attack netted $10–$20 million for searchers; in 2022, a Sushiswap routing exploit resulted in nearly $300,000 in losses.
The Coinbase incident reinforces that even major institutions are not immune to the operational risks of interacting with permissionless DeFi infrastructure.
Recommended Secure Partners
Was this Article helpful?
#MEV #Bots #Drain #300K #Coinbase #Wallet #Swapper #Error