Coinbase, America’s leading crypto exchange, experienced a $300,000 loss due to the exploitation of a configuration error involving 0xProject’s token exchange functionality, reportedly by MEV bots.
On August 13th, a security researcher using the alias Deebeez disclosed that Coinbase mistakenly utilized the 0x swapper for token approvals, a purpose it was not initially designed to serve.
Deebeez commented:
“The 0x swapper, designed for token swaps and not approvals, has a known history of issues, particularly with Zora claims on the Base network, due to its capacity to execute user-defined calls.”
According to the researcher, this misconfiguration gave unlimited access to tokens gathered as fees within the exchange’s router, thereby creating a vulnerability that was readily exploited.
Consequently, MEV bots systematically emptied Coinbase’s fee collection account of all stored tokens by exploiting the opening.
Deebeez further noted:
“It seems an MEV bot was active, waiting for users to approve transactions to this specific contract, with the intent to drain their funds. Thanks to Coinbase’s error, their opportunity materialized.”
Coinbase’s Response
Philip Martin, Coinbase’s Chief Security Officer, confirmed that the incident was contained and isolated.
According to Martin, the cause of the breach was a recent modification to one of Coinbase’s decentralized exchange (DEX) wallets used for corporate purposes, which facilitated the unauthorized transfers.
Importantly, he emphasized that customer funds remained unaffected by the incident.
Martin also stated that Coinbase has since invalidated the compromised token permissions and transferred all assets to a new corporate wallet, preventing further potential losses.
This event follows a prior data breach, attributed to an insider, which exposed the private data of roughly 70,000 users.
Coinbase reported that the perpetrators then demanded a $20 million ransom in Bitcoin. They also leveraged the exfiltrated data to impersonate Coinbase employees in elaborate social engineering schemes, reportedly resulting in millions of dollars in losses.
Subsequently, Coinbase announced the implementation of improved security measures to mitigate future attacks and terminated the employment of personnel implicated in the earlier security lapse.