Coinbase saigne : un bot MEV profite d’une faille 0xProject pour siphonner 300 000 $
Le géant des cryptos se fait surprendre par un arbitrage automatisé. L'erreur ? Un smart contract trop permissif sur le protocole 0x.
Comment un simple bot a pu devancer les trades de Coinbase
Les MEV bots - ces prédateurs algorithmiques - ont encore frappé. Cette fois, c'est l'interface d'échange décentralisé 0x qui a servi de porte dérobée. Le bot a repéré une opportunité avant que Coinbase ne finalise ses propres transactions.
300 000 $ évaporés en quelques blocs. De quoi faire grincer des dents les actionnaires - heureusement, c'est de la petite monnaie pour un exchange qui brasse des milliards. Comme quoi, même les banquiers 2.0 peuvent se faire pigeonner.
Incident adds to criticisms against Coinbase
Unsurprisingly, the incident represents another sore point for Coinbase critics, although it did not impact the exchange users. Some critics noted that this kind of mistake from a major exchange is concerning, especially given that it disclosed a cyber attack that could cost up to $400 million a few months ago.
Meanwhile, according to users on X, the exchange had also recently experienced downtime, with at least two PEOPLE sharing screenshots showing they could not access their Coinbase accounts. Some users have criticized the exchange for adding the Solana memecoin USELESS to its asset listing roadmap.
Nevertheless, Coinbase remains the biggest exchange in the US and ranks ninth globally with around 5.8% of the market share according to CoinGecko. This puts it above Crypto.com with 5.1% even as several other offshore exchanges continue to see more volume.
Security analysts identify composability risks
Meanwhile, this is not the first time funds have been drained from the 0x wallet. In April, Zora’s claim contract was also affected after it assigned ZORA tokens to the 0x settler contract through an airdrop.
Soon after the airdrop, an attacker drained the address and swapped the allocation for $128,000 worth of ETH. Security research firm BlockAid identified the incident as a Composability Attack. According to the firm, this is a new class of on-chain risk where independently secure components can create vulnerable conditions when they interact.
It said:
“A Composability Attack occurs when two or more independently secure systems interact in an unexpected way that creates an exploitable condition, without requiring any vulnerabilities in the systems themselves.”
In this case, it was Zora airdrop claim mechanism and the 0x Settler contract. The Zora mechanism allowed recipients to claim tokens through the claim function. It made no distinction between externally owned accounts (EOA) and smart contracts as long as the address is eligible.
While this allowed anyone eligible to claim the airdrop, it meant that the 0x Settler contract address could also get the tokens. Once Zora mistakenly sent the token meant for the 0x ecosystem to the contract, it was easy for anyone who understood the interaction to claim the tokens.
Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites
