In Brief
- SwapNet exploit drains $16.8M after users disabled one-time approval protections.
- Attacker swapped $10.5M USDC to ETH on Base before bridging to Ethereum.
- Matcha Meta disables affected contracts as security firms flag wider DeFi risks.
A security breach linked to SwapNet led to losses of about $16.8 million, affecting users interacting through Matcha Meta. The incident mainly impacted users who disabled one-time approvals, thereby exposing persistent token permissions.
Blockchain security firm PeckShieldAlert identified the exploit and traced the initial fund movements. The attacker targeted SwapNet router contracts that retained unlimited approvals from affected user wallets.
On the Base network, the attacker exchanged roughly $10.5 million in USDC for about 3,655 ether. Soon after, the attacker began bridging the converted assets to the Ethereum mainnet to complicate tracking.
SwapNet operates as a liquidity router used by Matcha Meta to source pricing and deep liquidity. The exploit involved abusing existing approvals rather than breaching private keys or core infrastructure.
Matcha Meta, built by the 0x team, confirmed the issue and immediately disabled affected SwapNet contracts. The platform also removed the option allowing users to grant direct approvals to third-party aggregators.
Investigation Expands as Security Firms Flag Wider Risks
Further analysis suggested the exploit stemmed from an arbitrary call vulnerability within SwapNet contracts. This flaw allowed attackers to transfer approved tokens without requesting new permissions.
Security firm BlockSec reported that multiple contracts across chains suffered losses exceeding $17 million. Affected networks included Ethereum, Arbitrum, Base, and BNB Chain, increasing the incident’s scope.
Separately, CertiK estimated that stolen funds near $13.3 million in USDC from related activity.
Some contracts involved remained closed-source and unverified at deployment.
Matcha Meta later confirmed that 0x core contracts were not affected by the incident.
Users relying on one-time approvals through 0x infrastructure remained unaffected.
The incident renewed scrutiny around persistent token approvals in decentralized finance.
Unlimited permissions offer convenience but increase exposure during smart contract failures.
Meanwhile, on-chain investigator ZachXBT criticized Circle’s delayed response to freeze remaining USDC. Roughly $3 million reportedly remained at addresses eligible for freezing during the response window.
The breach adds to a growing list of DeFi security failures early in 2026. Industry data shows stolen crypto funds reached record levels in recent years, increasing pressure on protocol security practices.
|
| DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing. |
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Could bypassing FSC regulations to buy crypto with a card be possible? OdinTean rolls out Wallet Pro, a service to buy crypto with U.S. debit cards
OwlPay and Wallet Pro services launched by OdinTing use stablecoin technology to enable B2B cross-border payments, and they partner with international payments giants to showcase their expansion ambitions in the financial technology sector. Through offshore operations, OdinTing bypasses Taiwan’s regulatory restrictions, providing fast virtual-asset trading. Meanwhile, as it faces the newly promulgated Virtual Asset Services Act, it is expected to become a reference template for other foreign-funded enterprises entering the Taiwan market.
CryptoCity42m ago
Fake Ledger App on Apple’s App Store Drains Musician’s 5.9 BTC Retirement Fund
A fake Ledger app on Apple's App Store deceived musician Garrett Dutton into losing 5.9 BTC by entering his seed phrase. This case highlights ongoing wallet scams and the exploitation of trust, as the stolen bitcoin was laundered through KuCoin.
CryptoNewsFlash12h ago
Can bypassing FSC regulations on using credit cards to buy crypto be possible? Odin Ding promotes a Wallet Pro service for buying crypto with US debit cards
OdinTai推出OwlPay和Wallet Pro服务,专注于B2B跨境支付,结合稳定币技术与国际金融系统,展现其金融科技转型。通过与MoneyGram合作,Wallet Pro实现现金购买稳定币的跨国汇款,并在美国市场运作。该公司的境外模式规避了台湾严格的监管,并在新法草案下挑战市场竞争格局,未来将影响本地业者的合规策略。
CryptoCity13h ago
Music Star G. Love Loses 5.9 Bitcoin in Shocking App Store Scam
_Musician G. Love loses 5.9 BTC in fake Ledger app scam, raising serious concerns about crypto security and user awareness worldwide._
A major crypto scam has affected Garrett Dutton, widely known as G. Love. The American singer lost 5.9 Bitcoin valued at almost 420,000. The loss occurred when he t
LiveBTCNews18h ago
Aave Faces a Major Trust Crisis: Service Providers Exit En Masse, with “Technology, Governance, and Risk Control” Fully Failing
Author: Jae, PANews
Compared with the external pressure of a bear market, Aave has instead seen a “black swan” emerge internally first.
Aave, which has long occupied the throne of lending agreements, is now facing the most severe ecosystem shake-up since its founding. There has been no hacker attack, no code vulnerabilities—only power gone out of control and conflicting interests.
From BGD Labs, a technical cornerstone, decisively leaving, to a public break between governance pioneer ACI (Aave Chan Initiative), and then to Chaos Labs, the risk-management steward, announcing that it is parting ways— a major “service provider retreat” is unfolding.
The depth of this game goes far beyond a mere cooperation dispute; it has triggered
区块客19h ago
Can bypassing Financial Supervisory Commission regulations for buying crypto with credit cards be possible? OdenDing pushes a Wallet Pro crypto-purchase service with U.S. debit cards
OdinTing launches OwlPay and Wallet Pro services, focusing on B2B cross-border payments. By combining stablecoin technology with international financial systems, it showcases its fintech transformation. Through a partnership with MoneyGram, Wallet Pro enables cross-border transfers of stablecoins purchased with cash and operates in the U.S. market. The company’s offshore model bypasses Taiwan’s strict regulation and challenges the competitive landscape under the new draft law, which will in the future affect local players’ compliance strategies.
CryptoCity19h ago
