Coinbase concedes $300K loss to MEV bot attack due to 0xProject swapper oversight

Coinbase has lost $300,000 in accumulated fees to an MEV bot after interacting with the 0xProject swapper smart contract. Pseudonymous security researcher deebeez disclosed this on X, noting that the exchange used the swapper incorrectly.

According to Deebeez, the 0xProject contract, which can be used for executing swaps, is permissionless. This means anyone can use it to execute any action without restrictions.

Due to this reason, it is not suitable for receiving token approvals. However, Coinbase seems to have been unaware of this, as it initiated approvals for tokens of protocols such as DEXTools, Swell Network, MyOneProtocol, Amp, Data Lake, Ondo Finance, and Destra Network, allowing a MEV bot to swoop in and drain all the funds once the exchange approved the contract.

He said:

“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract – and then drain all their funds. Well, their dream came true thanks to coinbase.”

The researcher described the incident as an expensive lesson for the Coinbase team, a fact that the team itself has also acknowledged. Coinbase chief security officer Philip Martin confirmed the incident while adding that it is an isolated issue due to changes to one of its corporate DEX wallets.

He added that the incident did not affect any customer funds, with the team now “revoking token allowances and  moving funds to a new corporate wallet.”

Meanwhile, some users recommended that this could have been prevented if the mempool had been encrypted. However, Deebeez noted that sandwich attacks are not identical to MEV attacks, and encrypting the mempool will only prevent sandwich attacks.

Incident adds to criticisms against Coinbase

Unsurprisingly, the incident represents another sore point for Coinbase critics, although it did not impact the exchange users. Some critics noted that this kind of mistake from a major exchange is concerning, especially given that it disclosed a cyber attack that could cost up to $400 million a few months ago.

Meanwhile, according to users on X, the exchange had also recently experienced downtime, with at least two people sharing screenshots showing they could not access their Coinbase accounts. Some users have criticized the exchange for adding the Solana memecoin USELESS to its asset listing roadmap.

Nevertheless, Coinbase remains the biggest exchange in the US and ranks ninth globally with around 5.8% of the market share according to CoinGecko. This puts it above Crypto.com with 5.1% even as several other offshore exchanges continue to see more volume.

Security analysts identify composability risks

Meanwhile, this is not the first time funds have been drained from the 0x wallet. In April, Zora’s claim contract was also affected after it assigned ZORA tokens to the 0x settler contract through an airdrop.

Soon after the airdrop, an attacker drained the address and swapped the allocation for $128,000 worth of ETH. Security research firm BlockAid identified the incident as a Composability Attack. According to the firm, this is a new class of on-chain risk where independently secure components can create vulnerable conditions when they interact.

It said:

“A Composability Attack occurs when two or more independently secure systems interact in an unexpected way that creates an exploitable condition, without requiring any vulnerabilities in the systems themselves.”

In this case, it was Zora airdrop claim mechanism and the 0x Settler contract. The Zora mechanism allowed recipients to claim tokens through the claim function. It made no distinction between externally owned accounts (EOA) and smart contracts as long as the address is eligible.

While this allowed anyone eligible to claim the airdrop, it meant that the 0x Settler contract address could also get the tokens. Once Zora mistakenly sent the token meant for the 0x ecosystem to the contract, it was easy for anyone who understood the interaction to claim the tokens.

Your crypto news deserves attention - KEY Difference Wire puts you on 250 top sites