Crypto exchange Coinbase lost around $300,000 after a misstep involving decentralized exchange protocol 0x’s “swapper” contract allowed automated trading bots to drain tokens from one of its corporate wallets.
Security researcher “deeberiroz” of Venn Network flagged the incident on Wednesday, saying Coinbase mistakenly approved tokens to the swapper contract — a permissionless tool not meant to hold token allowances. This opened the door for MEV (maximal extractable value) bots, which instantly transferred out the funds once approvals went live.
Coinbase chief security officer Philip Martin confirmed the loss, describing it as “an isolated issue” tied to a change in a corporate DEX wallet. He stressed that no customer funds were affected.
MEV bots are designed to exploit blockchain transaction sequencing to capture profits. In this case, the bots were reportedly waiting for high-value wallets — such as Coinbase’s fee receiver — to grant spending rights to exposed contracts, enabling them to trigger instant token drains.
While the $300,000 hit is minor for Coinbase, the episode highlights how even large exchanges remain vulnerable to targeted automated exploits in the decentralized finance ecosystem.
Earlier in May, Coinbase was the target of a $20 million extortion attempt after cybercriminals recruited overseas customer service contractors to leak user data, in what the company described as a coordinated insider threat.
Coinbase disclosed that a small group of customer support agents, hired through third-party vendors, had been bribed by external actors to access internal systems. The breach affected less than 1% of the platform’s monthly transacting users, though no passwords, private keys, funds, or Coinbase Prime accounts were compromised, the company said.
The attackers later demanded $20 million in Bitcoin in exchange for not publishing stolen user data. Coinbase refused to pay the ransom and instead offered a $20 million bounty for information leading to the identification and conviction of those responsible.
