TL;DR
- Costly Error: Coinbase lost about $300,000 in token fees after mistakenly approving assets to 0x’s swapper contract, enabling an MEV bot to drain funds from its corporate fee-receiver wallet within minutes of the change.
- Exploit Mechanics: The bot exploited permissioned access without code flaws, targeting approved tokens like Amp and DEXTools through 0x’s arbitrary call feature, highlighting composability risks in DeFi infrastructure.
- Security Takeaways: The incident reinforces the need for isolated wallets, strict approval limits, rapid revocation protocols, and pre-deployment simulations as primary defenses against opportunistic MEV activity.
Coinbase lost roughly $300,000 in token fees after a configuration change caused its corporate DEX wallet to approve multiple tokens to 0x’s permissionless “swapper” contract, a tool designed for executing swaps, not holding allowances. Within minutes, an opportunistic MEV bot exploited the standing approvals, draining assets from the exchange’s fee-receiver account. Security researcher “Deebeez” first identified the incident, with Coinbase’s chief security officer confirming it as isolated and stressing no customer funds were involved.
Looks like @coinbase was recently drained of ~$300,000 after using @0xProject swapper incorrectly.
They approved all the tokens accrued as fees to their router, getting drained immediately by MEV bots 🧵 pic.twitter.com/yWNHl8nupg
— deebeez (@deeberiroz) August 13, 2025
How the MEV Bot Capitalized
0x’s swapper lets any user perform arbitrary calls, meaning that granting it token allowances is effectively an open invitation for asset movement. Coinbase received approvals for tokens like Amp, MyOneProtocol, DEXTools, and Swell Network. A waiting MEV bot quickly called the contract, transferring the approved balances away without exploiting any code vulnerability, purely through the risky combination of open permissions and on-chain composability.
Coinbase’s Rapid Response
After detection, Coinbase revoked the approvals and migrated the remaining assets to a new corporate wallet. The response limited losses to exchange-owned fee accruals and avoided impact on client funds. Industry observers noted that MEV opportunism has long been a hazard. In April, a bot lost $180,000 in Ether to another MEV agent, and in 2023, a rogue validator intercepted sandwich trades worth $25 million.
Lessons for DeFi Security
The episode underscores how permissionless design magnifies the need for airtight configuration. Risk can be reduced by isolating fee-receiver wallets from experimental routing, defaulting to deny-all approval policies with strict limits, simulating transactions before deployment, and rehearsing rapid-revoke protocols. While discussions about MEV mitigation, such as mempool encryption, continue, disciplined approval management remains the front line of defense.
