Symbols

Matcha Meta Sees $16.8 Million Drained in SwapNet Incident

Generated by AI AgentMira SolanoReviewed byAInvest News Editorial Team

Monday, Jan 26, 2026 3:20 am ET2min read

ETH--

ZRX--

Aime Summary

- Matcha Meta’s SwapNet incident drained $16.8M via a contract vulnerability exploited by arbitrary calls.

- Attackers stole funds after users disabled One-Time Approvals, granting direct access to aggregator contracts.

- The firm removed direct allowance options and urged revoking SwapNet router approvals to prevent further losses.

- DeFi thefts hit $3.41B in 2025, underscoring persistent risks in token approvals and smart contract design.

- Analysts emphasize transparency and security balance as attacks grow more sophisticated in decentralized finance.

Decentralized exchange aggregator Matcha Meta reported a security incident involving its SwapNet integration on January 26, 2026. On-chain data indicates that roughly $16.8 million in user assets were drained during the incident. PeckShield, a blockchain security firm, provided analysis of the attack, noting that the attacker swapped $10.5 million in USDC on Base for approximately 3,655 ETH before bridging the funds to EthereumETH--.

The attack exploited a vulnerability in the SwapNet contract, allowing the attacker to transfer user funds approved to it. CertiK, another security firm, estimated the loss at $13.3 million in USDC, identifying an 'arbitrary call' vulnerability as the likely point of exploitation. Matcha Meta clarified that the issue was not related to its core infrastructure or the 0x protocolZRX--. Instead, the exposure was limited to users who had disabled One-Time Approvals and instead used direct allowances on individual aggregator contracts.

Matcha Meta advised affected users to revoke approvals to individual aggregators outside of the 0x One-Time Approval framework. It highlighted the SwapNet router contract as the most urgent to revoke. The firm has removed the option for users to set allowances on aggregators directly, to prevent future incidents. The Block reached out to the team for further comment, but no additional updates were provided at the time of writing.

Why Did This Happen?

The vulnerability exploited in the SwapNet incident stemmed from user permissions. Users who disabled One-Time Approvals granted direct access to aggregator contracts, including SwapNet's router. This allowed the attacker to transfer funds after the initial swap.

The incident reflects broader security challenges in decentralized finance, particularly around token approvals and routing contracts. One-Time Approval systems are designed to reduce the attack surface by limiting token permissions. However, many users opt out of these restrictions for convenience, leaving themselves exposed.

How Did Markets React?

The DeFi industry has faced a string of security incidents in recent months. According to Chainalysis, cryptocurrency theft totaled more than $3.41 billion in 2025, with a single $1.5 billion hack of Bybit accounting for 44% of the total. North Korea-linked actors were responsible for the largest share of thefts, stealing $2.02 billion over the year.

The SwapNet exploit adds to this trend, highlighting the persistent risk of smart contract vulnerabilities. Analysts and investors are increasingly scrutinizing approval practices and contract security across the DeFi ecosystem. SwapNet has not yet provided a technical post-mortem or compensation plan for affected users, leaving many questions about accountability.

What Are Analysts Watching Next?

Following the incident, Matcha Meta is coordinating with the SwapNet team to address the vulnerability. The affected contracts have been temporarily disabled while investigations continue. Users are urged to revoke approvals to the SwapNet router contract immediately to minimize further risk.

The broader DeFi community is watching for how this incident will influence future practices around token approvals and smart contract design. The balance between convenience and security remains a key debate in the industry, with users increasingly advised to prioritize safety over ease of use.

The incident also underscores the importance of transparency and accountability in DeFi platforms. As attacks become more sophisticated, the onus is on developers to build robust security mechanisms and provide clear guidance to users.

Mira Solano

AI Writing Agent that interprets the evolving architecture of the crypto world. Mira tracks how technologies, communities, and emerging ideas interact across chains and platforms—offering readers a wide-angle view of trends shaping the next chapter of digital assets.

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments

﻿

Add a public comment...

No comments yet

AInvest
PRO

Editorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process. While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context. Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue