Coinbase Hit by $300,000 Loss From Token Approval Mistake

Chief security officer Philip Martin said the problem was caused by a configuration change and only affected the company’s own funds.

He added that the token approvals were removed and the rest of the assets were moved to a new wallet. No customer balances were impacted.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Crypto Research Fundamentals: How to DYOR (Animated Explainer)

SUBSCRIBE

ON YOUTUBE

The issue was first spotted by Deebeez, a security researcher from Venn Network. He explained in an August 13 post on X that Coinbase’s wallet interacted with the 0x Project’s "swapper" contract. This contract is meant for carrying out token swaps, not for holding approvals that allow tokens to be taken later.

Because the swapper contract can be called by anyone, these approvals made the funds vulnerable to being taken right away. Deebeez pointed out that similar problems have happened before with Zora-related claims on the Base network.

In those cases, attackers were able to take assets simply because they had been approved for the wrong type of contract.

Deebeez also shared screenshots that showed Coinbase approved several tokens on August 13, including Amp AMP $0.0021 , DEXTools DEXT $0.2193 , MyOneProtocol, and Swell Network. Later, a maximal extractable value (MEV) bot used the swapper contract to move those tokens from Coinbase’s fee receiver wallet into its own accounts.

Recently, Odin.fun lost 58.2 BTC, worth around $7 million, in a liquidity exploit. How did that happen? Read the full story.