An On-Chain DEX Aggregator Just Lost $17 Million in Major Smart Contract Attack
On-chain decentralized alternate (DEX) aggregator, SwapNet, has suffered a significant good contract exploit that drained almost $16.8 million in crypto property.
The incident highlights persistent safety dangers tied to token approvals and third-party routing contracts in decentralized finance (DeFi).
On-Chain DEX Aggregator SwapNet Suffers $16.8 Million Exploit
PeckShield reported that the attacker focused SwapNet-linked exercise accessible by way of Matcha Meta, a meta DEX aggregator constructed by the 0x staff.
On the Base community, the attacker swapped roughly $10.5 million in USDC for round 3,655 ETH earlier than bridging the funds to Ethereum, a standard tactic used to complicate monitoring and restoration efforts.
Matcha Meta articulated that the publicity didn’t stem from its core infrastructure. Instead, the affected customers have been those that had opted out of 0x’s One-Time Approval system, a safety characteristic designed to restrict ongoing token permissions.
Users who disabled this feature granted direct approvals to underlying aggregator contracts, together with SwapNet’s router, which finally turned the assault vector.
“We are conscious of an incident with SwapNet that customers could have been uncovered to on Matcha Meta for individuals who turned off One-Time Approvals,” Matcha Meta said in a press release.
The platform confirmed it’s coordinating with the SwapNet staff, which has quickly disabled the affected contracts whereas investigations proceed.
As a precaution, Matcha Meta urged customers to instantly revoke approvals to particular person aggregators outdoors of 0x’s One-Time Approval framework.
The platform highlighted SwapNet’s router contract (0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e) as essentially the most pressing approval to revoke. Failure to take action may go away wallets uncovered even after the exploit has been contained.
DeFi’s Security Trade-Offs: Convenience vs. Safety Amid Rising Smart Contract Exploits
The incident displays a longstanding trade-off in DeFi between comfort and safety. One-Time Approvals require customers to approve every transaction individually, lowering persistent assault surfaces. However, it additionally provides friction for frequent merchants.
Unlimited approvals, whereas quicker, grant smart contracts enduring entry to person funds. However, this association turns into harmful when these contracts are compromised.
SwapNet has not but launched a full technical autopsy or indicated whether or not affected customers shall be compensated. This leaves open questions round accountability and restoration.
The lack of rapid readability is more likely to intensify scrutiny round approval practices and aggregator integrations throughout the DeFi ecosystem.
Another Ethereum Exploit Highlights Risks of Unverified, Closed-Source Contracts
The exploit comes amid a broader sample of good contract assaults and security incidents in the crypto market.
On the identical day, safety auditor Pashov flagged a separate Ethereum mainnet exploit involving roughly 37 WBTC, value over $3.1 million.
This was linked to a closed-source, unverified contract deployed simply 41 days earlier. The contract printed solely non-human-readable bytecode, stopping public assessment.
Together, the incidents spotlight considerable fertile grounds for attackers in DeFi. These are:
- Unverified code
- Persistent approvals, and
- Complex routing layers.
Despite years of audits and safety enhancements, DeFi continues to grapple with structural vulnerabilities. This locations the burden on builders and customers to steadiness usability with danger administration.
The publish An On-Chain DEX Aggregator Just Lost $17 Million in Major Smart Contract Attack appeared first on BeInCrypto.
