I do not have specific answer for Coinbase. Typically, the flaw would be in modifying one of the form inputs to get the code delivered to a different phone number. That usually works out to either modifying the "destination number" client-side form value, or swapping in an edited/reused session token from a different login session's MFA challenge, to exploit missing ownership checks on the various underlying pkey object IDs.