Coinbase lost about $300,000 in token fees after mistakenly approving assets to a 0x Project smart contract. The approval allowed a maximal extractable value (MEV) bot to move funds from the exchange’s corporate wallet.
Security researcher Deebeez from Venn Network reported the case on X on Wednesday. According to him, Coinbase’s corporate wallet interacted with 0x’s “swapper” contract. The tool is built to execute swaps but is not designed to receive token approvals.
Granting approvals to such a contract can expose assets to immediate transfer by anyone who calls it. Deebeez pointed out that the same swapper contract had earlier caused issues with Zora claims on Base, where similar approvals allowed third parties to move funds without exploiting code flaws.
MEV Bot Moves Tokens From Coinbase’s Fee Receiver
Screenshots posted by Deebeez showed Coinbase granting approvals for tokens including Amp (AMP), MyOneProtocol (MYOP), DEXTools (DEXT), and Swell Network (SWELL). These approvals were made on Wednesday afternoon.
Soon after, an MEV bot triggered the swapper contract to transfer the approved tokens from Coinbase’s fee receiver account to its own addresses. Deebeez said the bot had been “lurking in the dark,” waiting for such approvals. He noted, “Their dream came true thanks to Coinbase.”
The incident resulted in the complete draining of tokens from the fee receiver account. No vulnerabilities in the code were exploited; the loss came entirely from the approval misstep.
Coinbase Security Chief Confirms and Responds
Philip Martin, Coinbase’s chief security officer, confirmed the incident. He described it as an “isolated issue” caused by a configuration change in one of the exchange’s corporate decentralized exchange (DEX) wallets.
Martin stated that no customer funds were affected, and Coinbase revoked all token allowances before transferring remaining funds to a new corporate wallet.
The company also removed the approvals given to the swapper contract and is reviewing processes to prevent similar mistakes in the future.
Past MEV Bot Exploits Highlight Risks
This case adds to a growing list of MEV-related incidents. In April 2025, an MEV bot lost $180,000 in Ether (ETH) after an attacker exploited a flaw in its access control system. The attacker swapped the bot’s ETH for a worthless token via a malicious pool created within the same transaction.
In 2023, a rogue validator exploited MEV bots performing “sandwich trades,” stealing $25 million in assets including Wrapped Bitcoin (WBTC), USD Coin (USDC), Tether (USDT), DAI, and Wrapped Ether (WETH).
MEV bots follow profit-making strategies, but attackers can target them when their operations or related approvals face misconfiguration.
