Coinbase recently lost about $300,000 in token fees after a flaw in how its corporate wallet interacted with a smart contract from the 0x Project.
A security researcher of Venn Network, deeberiroz, reported that Coinbase’s wallet had mistakenly approved tokens for a “swapper” contract. As per the screenshot shared by the researcher, these tokens are ONDO, AMP, SWELL and others.
The swapper contract, which was created solely for trading purposes, was never designed to store token approvals. This misconfiguration left the funds vulnerable and waiting to be exploited by MEV bots, created solely to exploit this functionality.
Maximal Extractable Value (MEV) bots are automated programs operating on blockchains. These programs run on for the sole purpose of identifying and profiting from price differences in transaction ordering.
The security officer at Coinbase, Philip Martin, verified the incident by saying, “I can confirm this is an isolated issue due to a change we made with one of our corporate DEX wallets, which led to unauthorized transfers.” The exchange has since shut down the token approvals and transferred the remaining funds into a new wallet.
What is the 0x Protocol?
Launched in 2016, the 0x Protocol is an open-source, Ethereum-based infrastructure that enables peer-to-peer digital asset trading. It’s an open-source collection of publicly audited smart contracts that can be utilized to create trading applications by developers. The protocol is very flexible and is utilized by many platforms to pool liquidity and enable token swapping.
In the Coinbase case, the MEV bots were successful in draining the funds due to the exchange’s improper setup of approval that enabled bots to invoke the swapper contract and carry out unauthorized transfers of the approved tokens.
Also Read: Coinbase, Squads Protocol Push USDC Growth on Solana
