Coinbase lost $300,000 in token fees after mistakenly approving assets to a 0x swapper contract, enabling an MEV bot to drain its corporate wallet.

Coinbase lost about $300,000 in token fees after mistakenly approving assets to a 0x Project smart contract, allowing a maximal extractable value (MEV) bot to drain the funds.

Deebeez, a security researcher at Venn Network, flagged the incident in a Wednesday post on X. He said Coinbase’s corporate wallet interacted with 0x’s “swapper” contract, a permissionless tool designed to execute swaps but not to receive token approvals.

Since anyone can call the contract to perform arbitrary actions, granting approvals can expose assets to immediate theft. “This same swapper is known to have had issues with Zora claims on Base,” the researcher wrote, linking to past cases where the setup enabled malicious actors to extract funds without exploiting code vulnerabilities.

Screenshots shared by Deebeez showed Coinbase granting approvals for tokens including Amp, MyOneProtocol, DEXTools and Swell Network on Wednesday afternoon. Soon after, an MEV bot called the swapper contract to transfer the approved tokens from Coinbase’s fee receiver account into its addresses.