Coinbase’s Misauthorization Leads to Trouble: MEV Bots Exploit the Opportunity, Resulting in $300,000 Instant Loss

Coinbase Suffers $300,000 Loss Due to Wallet Configuration Error

One of the world’s largest cryptocurrency exchanges, Coinbase, recently experienced a significant loss of approximately $300,000 in tokens due to a configuration error in its corporate wallet. This error resulted in the unintentional granting of token approvals to the decentralized trading protocol 0x Project’s “swapper” contract, which was then immediately exploited by a long-term lurking MEV bot.

Beginning of the Error: Swapper Contract Authorization Incident

The issue originated from Coinbase’s interaction with the decentralized trading protocol 0x Project, which provides a smart contract called “swapper.” This contract is of the permissionless type, meaning that anyone can call it.

In simple terms, this permissionless contract was originally designed solely for executing token swaps and should not have received long-term token approvals, as this grants the contract the ability to hold and transfer funds, thus introducing security risks.

According to Venn Network security researcher deeberiroz, Coinbase mistakenly authorized multiple tokens, including Amp, MyOneProtocol, DEXTools, and Swell Network, to this contract during a recent operation. Since anyone can call the contract, this authorization was equivalent to throwing a set of vault keys into the public domain.

Coinbase’s Momentary Oversight: MEV Bots Strike Successfully

At this point, MEV bots had been lying in wait for a long time, looking for opportunities to exploit erroneous authorizations from high-value wallets. When Coinbase’s authorization transaction was packed onto the blockchain, the bots immediately called the swapper contract and transferred the authorized tokens directly to their own addresses.

As this process was automated, it was completed almost instantaneously, leaving Coinbase with no time to revoke the authorization or prevent the transfer. As deeberiroz described, “They have been waiting for someone to make a mistake, and once it happens, they will immediately move the money. Coinbase’s oversight allowed them to cash in significantly.”

As one of the most notorious entities in the blockchain world, MEV bots can monitor all transactions in the mempool and maximize their own benefits through front-running or reordering transactions.

Coinbase’s Emergency Response: User Funds Remain Secure

Coinbase’s Chief Information Security Officer, Philip Martin, subsequently responded on the X platform, stating that this was a singular incident during the modification of a corporate wallet, which was used solely for accumulating fee revenue, and that no customer funds were affected.

The company has since taken immediate remedial measures, including revoking all erroneous authorizations and transferring funds to a new corporate wallet to prevent a recurrence of the same situation.

Although $300,000 may seem insignificant to Coinbase, this incident serves as a costly reminder that even the largest exchanges need to conduct several cybersecurity lessons.

Warning: Regularly Revoking Unnecessary Authorizations

This incident highlights a critical vulnerability in cryptocurrency asset security: “Token Authorization Management.” In the on-chain world, any erroneous authorization may allow the counterpart to fully control user assets within the contract’s permitted range. Given that on-chain actions are public, transparent, and irreversible, recovering funds is nearly impossible.

This also serves as a warning for individual users: “Regularly checking and revoking unnecessary authorizations is a fundamental action for on-chain cybersecurity protection.” Useful tools such as the authorization revocation website Revoke can help users timely clear potential risks.

Risk Warning

Investing in cryptocurrencies carries a high level of risk, and their prices can fluctuate dramatically, potentially resulting in the loss of the entire principal. Please assess the risks carefully.