After an unintended move involving 0x’s decentralized exchange “swapper” contract, Coinbase ended up losing close to $300,000 in token fees as MEV bots seized the chance to empty one of its corporate wallets.
Philip Martin, Coinbase’s head of security, acknowledged the blunder, deeming it “an isolated event” linked to a modification in one of the exchange’s corporate DEX wallets. He emphasized in a post on X that customer assets remained untouched.
The Exploit Uncovered
It was security analyst “deeberiroz” from Venn Network who first raised the alarm on Wednesday about the vulnerability. Coinbase had inadvertently granted token approvals to the swapper contract—a permissionless mechanism crafted for facilitating swaps but never intended to hold token allowances.
This misconfiguration created a perfect window for the opportunistic MEV bots, which wasted no time in emptying the wallet once the permissions were active.
Understanding MEV and Its Role Here
The acronym MEV, standing for “maximal extractable value,” describes the tactic of front-running or reshuffling blockchain transactions to snag profits. In this episode, it meant the bots moved funds before Coinbase could retract their access.
The researcher commented on X: “Looks like an MEV bot was lying in wait, ready to pounce the moment users accidentally approved that contract—and then they wiped out all the funds. Thanks to Coinbase’s slip-up, the attackers walked away with everything they could grab from the fee receiver account.”
Snapshot of the Event
On August 13, 2025, @deeberiroz tweeted about the incident, highlighting how Coinbase’s misuse of the @0xProject swapper caused an immediate drain of roughly $300,000 by MEV bots.
Because the swapper contract was publicly accessible, these bots could invoke it—essentially requesting its services—to transfer the pre-approved tokens straight into their own wallets.
The Bigger Picture: Why This Matters
While the $300,000 loss might be a drop in the bucket for a giant like Coinbase, the breach underscores a critical vulnerability: even the most reputable exchanges are not immune to subtle, high-tech forms of automated trading attacks.
MEV bots have become a longstanding presence in Ethereum and other blockchain realms, capitalizing on token launches, NFT drops, and liquidity events by exploiting transaction ordering and mempool visibility.
Here, the bots simply bided their time, waiting for a high-value wallet—such as Coinbase’s fee receiver—to unknowingly authorize spending rights to a vulnerable contract before instantly pulling out the tokens.
Key Points Summarized:
- Coinbase accidentally allowed token approvals to a swapper contract meant only to facilitate swaps, not hold allowances.
- MEV bots exploited this by calling the contract to transfer tokens to themselves immediately.
- The incident cost Coinbase about $300,000 but spared customer funds.
- This event highlights how advanced automated exploits can bypass even top-tier security setups.