Coinbase has confirmed it lost roughly $300,000 in token fees after a misstep involving the 0x Project’s “swapper” contract left funds exposed to opportunistic bots.
The incident was first flagged on Wednesday by blockchain security researcher “deeberiroz” from Venn Network. In a post on X (formerly Twitter), the researcher revealed that Coinbase mistakenly approved token transfers to the 0x swapper — a permissionless smart contract built for executing decentralized token swaps.
Looks like @coinbase was recently drained of ~$300,000 after using @0xProject swapper incorrectly.
— deebeez (@deeberiroz) August 13, 2025
They approved all the tokens accrued as fees to their router, getting drained immediately by MEV bots 🧵 pic.twitter.com/yWNHl8nupg
While the swapper is designed to let anyone perform trades without ownership restrictions, it isn’t meant to receive token approvals. Granting such permissions creates a security risk, as malicious actors can trigger transfers without the owner’s consent.
According to the researcher, the misconfiguration affected Coinbase’s corporate wallet and led to approvals for tokens such as Amp, MyOneProtocol, DEXTools, and Swell Network around 3:21 p.m. Shortly afterward, a “miner extractable value” (MEV) bot — programmed to monitor and exploit such mistakes — drained the approved tokens.
“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract — and then drain all their funds,” wrote deeberiroz. “Well, their dream came true thanks to Coinbase … They made a killing by draining the Coinbase fee receiver account of all the tokens they gathered.”
Screenshots shared by the researcher show the bot calling the swapper contract to execute transfers directly from Coinbase’s wallet to its own addresses.
Philip Martin, Coinbase’s chief security officer, confirmed the breach in a reply to the X thread, calling it an “isolated issue” stemming from a recent change to one of the company’s corporate decentralized exchange (DEX) wallets.
“No customer funds were affected,” Martin stressed, adding that Coinbase quickly revoked token allowances and moved assets to a new corporate wallet to prevent further losses.
Thanks for flagging. I can confirm this is an isolated issue due to a change we made with one of our corporate DEX wallets, which led to unauthorized transfers. No customer funds were impacted. We’re revoking token allowances and are moving funds to a new corporate wallet. Big…
— Philip Martin (@SecurityGuyPhil) August 13, 2025
While the amount lost is relatively small for the exchange, the case highlights how even well-resourced crypto companies can fall prey to automated exploit strategies if contract interactions aren’t carefully configured.
