Matcha Meta Breach Drains $16.8M via SwapNet Exploit — Users Urged to Revoke Access

A safety breach tied to decentralized alternate aggregator Matcha Meta has resulted within the theft of roughly $16.8 million in crypto belongings, including to a rising listing of smart-contract exploits that proceed to check the security assumptions of DeFi customers.

The incident unfolded on Sunday and was traced not to Matcha’s core infrastructure, however to SwapNet, one of many liquidity suppliers built-in into the platform.

Matcha Meta disclosed the problem publicly in a publish on X, saying customers who had disabled its “One-Time Approval” function and as an alternative granted direct token allowances to particular person aggregator contracts could have been uncovered.

We are conscious of an incident with SwapNet that customers could have been uncovered to on Matcha Meta for individuals who turned off One-Time Approvals

We are involved with the SwapNet crew they usually have briefly disabled their contracts

The crew is actively investigating and can present…

— Matcha Meta (@matchametaxyz) January 25, 2026

The protocol urged affected customers to instantly revoke approvals linked to SwapNet’s router contract, warning that failure to accomplish that may go away wallets susceptible to additional unauthorized transfers.

$17M Vanishes in Seconds: How Matcha Hackers Slipped Funds Onto Ethereum

Blockchain safety companies shortly started monitoring the exploit as funds moved on-chain.

PeckShield reported that roughly $16.8 million had been drained in whole, with the attacker swapping round $10.5 million in USDC for roughly 3,655 ETH on the Base community earlier than beginning to bridge belongings to Ethereum.

#PeckShieldAlert Matcha Meta has reported a safety breach involving SwapNet. Users who opted out of “One-Time Approvals” are in danger.

So far, ~$16.8M value of crypto has been drained.

On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF

— PeckShieldAlert (@PeckShieldAlert) January 26, 2026

CertiK independently flagged suspicious transactions, figuring out one pockets that siphoned about $13.3 million in USDC on Base and transformed the funds into wrapped Ether.

Both companies pointed to a vulnerability within the SwapNet contract that allowed arbitrary calls, enabling the attacker to switch tokens that customers had beforehand authorised.

1/ The vulnerability appears to be in arbitrary name in @0xswapnet contract that permit attacker to switch funds authorised to it. (https://t.co/B7ux5zzMLS)

The crew have briefly disabled their contracts is actively investigating.https://t.co/NBNvzxHCRw

Please revoke approval…

— CertiK Alert (@CertiKAlert) January 26, 2026

Matcha later clarified that the incident was not linked to 0x’s AllowanceHolder or Settler contracts, which underpin its One-Time Approval system.

The crew famous that customers who interacted with Matcha utilizing One-Time Approvals weren’t affected, as this design limits how a lot entry a third-party contract can retain.

After reviewing with 0x’s protocol crew, we now have confirmed that the character of the incident was not related to 0x’s AllowanceHolder or Settler contracts.

Users who’ve interacted with Matcha Meta via One-Time Approval are thus protected.

Users who’ve disabled One-Time… https://t.co/VQVmj4LL0F

— Matcha Meta (@matchametaxyz) January 25, 2026

The publicity, the crew stated, utilized solely to customers who opted out of that system and granted ongoing allowances immediately to aggregator contracts. In response, Matcha has eliminated the choice for customers to set such direct approvals going ahead.

Old Token Approvals Emerge as a Persistent DeFi Weak Spot

The breach highlights a recurring rigidity in DeFi between flexibility and security. Token approvals, whereas vital for interacting with sensible contracts, have lengthy been a weak level, notably when permissions stay lively lengthy after a transaction is accomplished.

In this case, beforehand granted allowances turned the pathway for the exploit as soon as the SwapNet contract was compromised.

The incident arrives amid continued considerations over smart-contract safety throughout the crypto sector.

SlowMist’s year-end report shows that vulnerabilities in sensible contracts accounted for simply over 30% of crypto exploits in 2025, making them the main reason for losses.

Researchers have additionally warned that advances in artificial intelligence are accelerating how shortly attackers can determine and exploit weaknesses in on-chain code.

While overall crypto losses declined in December, falling about 60% month-on-month to roughly $76 million, safety companies cautioned that the drop didn’t mirror a structural enchancment.

Crypto-related losses from hacks and cybersecurity exploits fell sharply in December, dropping 60% month-on-month to about $76 million.#Crypto #Hackhttps://t.co/mke6K8sLVQ

— Cryptonews.com (@cryptonews) January 2, 2026

PeckShield famous {that a} single address-poisoning rip-off accounted for $50 million of December’s losses, displaying how concentrated and extreme particular person incidents might be even throughout quieter intervals.

January has already seen a number of notable exploits. IPOR Labs confirmed a $336,000 attack on its USDC Fusion Optimizer vault on Arbitrum, whereas Truebit disclosed a smart-contract incident that on-chain analysts estimate drained greater than 8,500 ETH, triggering a near-total collapse within the undertaking’s token value.

Last week, Layer-1 network Saga paused its SagaEVM chain after an exploit moved shut to $7 million in belongings to Ethereum.

The publish Matcha Meta Breach Drains $16.8M via SwapNet Exploit — Users Urged to Revoke Access appeared first on Cryptonews.