Coinbase Bleeds $300K to MEV Bots—0xProject Swapper Glitch to Blame
Another day, another crypto cash grab—this time at Coinbase's expense. MEV bots just siphoned $300K from the exchange, exploiting a gap in 0xProject's swapper logic. Who needs hackers when you've got code that practically invites arbitrage?
How It Went Down
The bots pounced on a pricing lag in 0xProject's swap mechanism, front-running transactions faster than a Wall Street insider. Coinbase confirmed the loss, though $300K is barely a rounding error in their quarterly earnings—call it a 'cost of doing business' in DeFi's wild west.
Security or Speed? Pick One
Exchanges keep choosing liquidity over ironclad safeguards. Meanwhile, MEV bots treat these gaps like an all-you-can-extract buffet. 0xProject's team is 'reviewing the incident'—code for 'writing a postmortem nobody will read.'
Closing Thought: Maybe next time, test the swapper with more than Monopoly money before going live.
Incident adds to criticisms against Coinbase
Unsurprisingly, the incident represents another sore point for Coinbase critics, although it did not impact the exchange users. Some critics noted that this kind of mistake from a major exchange is concerning, especially given that it disclosed a cyber attack that could cost up to $400 million a few months ago.
Meanwhile, according to users on X, the exchange had also recently experienced downtime, with at least two people sharing screenshots showing they could not access their Coinbase accounts. Some users have criticized the exchange for adding the solana memecoin USELESS to its asset listing roadmap.
Nevertheless, Coinbase remains the biggest exchange in the US and ranks ninth globally with around 5.8% of the market share according to CoinGecko. This puts it above Crypto.com with 5.1% even as several other offshore exchanges continue to see more volume.
Security analysts identify composability risks
Meanwhile, this is not the first time funds have been drained from the 0x wallet. In April, Zora’s claim contract was also affected after it assigned ZORA tokens to the 0x settler contract through an airdrop.
Soon after the airdrop, an attacker drained the address and swapped the allocation for $128,000 worth of ETH. Security research firm BlockAid identified the incident as a Composability Attack. According to the firm, this is a new class of on-chain risk where independently secure components can create vulnerable conditions when they interact.
It said:
“A Composability Attack occurs when two or more independently secure systems interact in an unexpected way that creates an exploitable condition, without requiring any vulnerabilities in the systems themselves.”
In this case, it was Zora airdrop claim mechanism and the 0x Settler contract. The Zora mechanism allowed recipients to claim tokens through the claim function. It made no distinction between externally owned accounts (EOA) and smart contracts as long as the address is eligible.
While this allowed anyone eligible to claim the airdrop, it meant that the 0x Settler contract address could also get the tokens. Once Zora mistakenly sent the token meant for the 0x ecosystem to the contract, it was easy for anyone who understood the interaction to claim the tokens.
Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites
