- Trending
- Comments
- Latest
Hackers stole approximately $16.8 million from decentralized exchange aggregator Matcha on January 26 by exploiting a vulnerability in its SwapNet contract integration on the Base network.
The attack, detected by blockchain security firms PeckShield and CertiK, targeted users who had granted persistent token approval permissions rather than using one-time authorizations. Matcha has since disabled the affected contracts and removed the ability for users to set direct allowances on aggregator contracts.
According to PeckShield, the Matcha Meta SwapNet Breach resulted in an attacker siphoning roughly $16.8 million worth of digital assets.
On-chain data reviewed by the security firm shows that approximately $10.5 million in USDC on Base was swapped for around 3,655 ether before the funds were bridged to Ethereum.
The movement of assets across chains complicated early tracing efforts and raised concerns about how quickly stolen funds could be dispersed.
CertiK, another blockchain security firm, provided an earlier and more conservative estimate of losses, putting the figure at about $13.3 million in USDC.
The firm attributed the exploit to what it described as an “arbitrary call” vulnerability in the SwapNet contract, which allegedly allowed the attacker to transfer funds that users had previously approved to the contract.
While estimates differ, both firms agree that the exploit targeted contract-level permissions rather than a failure of underlying blockchains.
The disclosure places renewed focus on the security risks inherent in DeFi aggregators, particularly when users grant standing approvals that can later be abused if a contract is compromised.
In its initial response to the Matcha Meta SwapNet Breach, Matcha Meta said it was still unclear whether user funds had been permanently lost.
The project emphasized that exposure was limited to a specific subset of users those who had disabled One-Time Approvals and instead set direct allowances on individual aggregator contracts. Users who relied on One-Time Approval interactions were not affected, according to the team.
After reviewing the incident alongside the 0x protocol team, Matcha Meta also sought to clarify the scope of responsibility. The project confirmed that the issue did not stem from 0x’s AllowanceHolder or Settler contracts, distancing the broader 0x infrastructure from the exploit.
In a post shared on X, the team outlined changes aimed at preventing a recurrence. “Users who have disabled One-Time Approval and have set direct allowances on individual aggregator contracts assume the risks of each aggregator,” — Matcha Meta, in a post on X.
“We have removed the ability for users to set allowances on aggregators directly such that this cannot happen moving forward.”
The statement underscores a broader industry tension between convenience and security, as persistent approvals can streamline trading while also expanding the attack surface.
The Matcha Meta SwapNet Breach arrives against the backdrop of sustained hacking activity across the crypto sector. Industry-wide data from Chainalysis shows that cryptocurrency theft totaled more than $3.41 billion in 2025, slightly higher than the $3.38 billion recorded the previous year.
A single $1.5 billion hack of Bybit accounted for nearly half of those losses, while actors linked to North Korea were identified as the most prolific threat group, stealing a record $2.02 billion over the year.
While the Matcha Meta incident is smaller in scale than some of last year’s largest exploits, it highlights how vulnerabilities in smart contracts and user permission settings continue to present opportunities for attackers.
The fact that the exploit appears to hinge on pre-approved allowances rather than protocol-wide failures may influence how aggregators design default user protections going forward.
As of publication, Matcha Meta had not issued further updates beyond its initial disclosures, and The Block said it had reached out to the team for additional comment. Investigations by PeckShield, CertiK, and other analysts remain ongoing.
For DeFi participants, the Matcha Meta SwapNet Breach serves as another reminder to regularly review and limit token approvals, especially on aggregator platforms that interact with multiple protocols. While One-Time Approvals may introduce extra steps, the incident illustrates how they can significantly reduce exposure during a contract exploit.
Whether any of the stolen assets will be recovered remains uncertain. What is clear is that the Matcha Meta SwapNet Breach has reinforced calls for stronger default safeguards, clearer user education around permissions, and faster incident disclosure as the DeFi ecosystem continues to mature under persistent security pressure.
