He noted:
“0x has a swapper which is never meant to get approvals This same swapper is known to have had issues with Zora claims on Base, since it allows users to have it make arbitrary calls.”
According to him, this approval granted unlimited access to the tokens accrued as fees in the exchange’s router, creating an opening for exploitation.
As a result of this oversight, the MEV bots drained Coinbase’s fee receiver account of all accumulated tokens.
He added:
“There appears to have been an MEV bot lurking in the dark, waiting for users to mistakenly approve to this contract – and then drain all their funds. Well, their dream came true thanks to Coinbase.”
According to Martin, the incident stemmed from a recent change to one of the company’s corporate decentralized exchange (DEX) wallets, which led to unauthorized token transfers.
Meanwhile, he stressed that the incident impacted no customer assets.
Martins added that the exchange has since revoked token allowances and moved its holdings to a new corporate wallet to prevent further losses.
Since then, Coinbase said it has strengthened its security protocols to prevent future attacks and terminated the employees implicated in the breach.
