Coinbase Hit by Costly $300K MEV Bot Drain

This allowed a maximal extractable value (MEV) bot to drain the funds. The issue was flagged by Venn Network researcher Deebeez, and stemmed from a corporate wallet configuration change that allowed arbitrary token transfers. Coinbase’s chief security officer confirmed it was an isolated incident, with no customer funds affected. In a separate case, Ethereum core developer Zak Cole fell victim to a wallet drainer that was embedded in a malicious Cursor AI extension that stole his private key and drained his hot wallet. 

MEV Bot Drains $300K From Coinbase

Coinbase suffered a loss of around $300,000 in token fees after mistakenly approving assets to a 0x Project smart contract, which allowed a maximal extractable value (MEV) bot to drain the funds. The incident was first flagged by Deebeez, a security researcher at Venn Network, who revealed in a post on X that Coinbase’s corporate wallet interacted with 0x’s “swapper” contract. This permissionless tool is designed to execute token swaps, not to receive token approvals, and granting such approvals can leave assets exposed to immediate theft.

Because the swapper contract can be called by anyone to perform arbitrary actions, approvals effectively give malicious actors the green light to move tokens without exploiting any code vulnerabilities. Deebeez shared that this same contract has previously been linked to issues with Zora claims on Base, which allowed fund extractions through similar setups. 

Screenshots that were shared by the researcher showed Coinbase granting approvals for tokens including Amp, MyOneProtocol, DEXTools, and Swell Network on Wednesday afternoon. Shortly afterward, a MEV bot called the swapper contract and transferred the approved tokens from Coinbase’s fee receiver account into its own addresses.

Describing the bot as having been “lurking in the dark” waiting for such a mistake, Deebeez said the incident provided the perfect opportunity for the attacker to act. He added that the loss, which drained the fee receiver account of all its tokens, was an “expensive lesson” for Coinbase.

(Source: X)

Coinbase’s chief security officer Philip Martin confirmed the event, and called it an “isolated issue” that was caused by a configuration change in one of the exchange’s corporate DEX wallets. He made sure to mention that no customer funds were affected, and that Coinbase revoked the token allowances and moved the remaining funds to a new corporate wallet.

MEV bot-related exploits have become a lot more common. In April, a bot lost $180,000 in Ethereum after an attacker exploited its access control system, swapping ETH for a worthless token through a malicious pool. In 2023, a rogue validator exploited MEV bots attempting sandwich trades, and stole $25 million in assets, including WBTC, USDC, USDT, DAI, and WETH.

Wallet Drainer Targets Ethereum Dev

Meanwhile, Ethereum core developer Zak Cole revealed that he was targeted by a crypto wallet drainer linked to a rogue code assistant. In a Tuesday post on X, Cole said that he installed a malicious artificial intelligence extension from Cursor AI called “contractshark.solidity-lang,” which appeared legitimate with a polished icon, descriptive copy, and over 54,000 downloads. 

Unbeknownst to him, the extension secretly read his .env file, extracted his private key, and sent it to an attacker’s server. This gave the attacker access to his hot wallet for three days before draining the funds on Sunday.

Cole has been in the crypto space for more than a decade, and said this was the first time he ever lost funds to hackers. The impact was limited to a “few hundred” dollars in Ethereum, as he uses small, project-specific hot wallets for testing and secures his primary holdings on hardware devices. He mentioned that the incident happened when he was rushing to ship a contract, and believes his urgency led to overlooked security checks.

The attack is part of the growing trend in which wallet drainers —which are malware designed to steal crypto assets — are becoming more prevalent. In September of 2024, a fake WalletConnect Protocol on the Google Play store stayed live for over five months, and stole more than $70,000 from investors. Malicious VS Code extensions in particular are emerging as a major attack vector for developers, often using fake publishers and typosquatting to trick users into installing them.

Hakan Unal, senior security operations lead at blockchain security firm Cyvers, advised that developers should thoroughly vet extensions, avoid storing sensitive information in plain text or .env files, use hardware wallets, and work in isolated environments. Adding to the concern, a report from AMLBot in April revealed that wallet drainers are now being sold as a service. Scammers even rent them for as little as $100 in USDT, making them more accessible than ever.