Coinbase lost approximately $300,000 due to an error involving a 0x Project smart contract, which allowed a maximal extractable value (MEV) bot to drain its corporate wallet. The mishap occurred when Coinbase mistakenly approved assets to a permissionless swapper contract, a tool intended for executing swaps but not for receiving token approvals. Security researcher Deebeez highlighted that once the approvals were granted, the MEV bot was able to transfer the approved tokens from Coinbase’s fee receiver account. The researcher noted that such vulnerabilities were previously observed with other projects. Coinbase's chief security officer reassured that no customer funds were impacted, attributing the issue to a configuration change in a corporate DEX wallet and confirming that the token allowances were revoked post-incident.

Source 🔗