Coinbase lost approximately $300,000 in accumulated token fees due to a misconfigured interaction with the 0x Project's swapper contract.
X user "deeberiroz," a security researcher at Venn Network, reported on Wednesday that Coinbase interacted with a "swapper" smart contract for the decentralized peer-to-peer exchange 0x that was never intended for token approvals.
The 0x Project provides "swapper," a contract designed for executing swaps. This contract is permissionless, where anyone can call it to perform arbitrary actions without ownership restrictions. However, it's not designed to receive token approvals, as doing so can expose funds to risks.
This setup has led to known issues before, according to the researcher, involving Zora's airdrop claims on the Base Layer 2 network.
According to screenshots shared by deeberiroz, Coinbase initiated approvals for tokens such as Amp, MyOneProtocol, DEXTools, and Swell Network, from around 3:21 p.m.
"There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract — and then drain all their funds," deeberiroz wrote. "Well, their dream came true thanks to coinbase … They made a killing by draining the coinbase fee receiver account of all the tokens they gathered."
Because the contract is permissionless, the bots appear to have called the swapper contract to execute transfers, draining the approved tokens from the Coinbase wallet to their own addresses.
The researcher's report was confirmed by Philip Martin, chief security officer for Coinbase Global, as he replied to the X post.
"I can confirm this is an isolated issue due to a change we made with one of our corporate DEX wallets, which led to unauthorized transfers," wrote Martin, adding that no customer funds were affected.
The Coinbase CSO said the company responded by revoking token allowances and moving funds to a new corporate wallet.
