In Brief
- SwapNet exploit drains $16.8M after users disabled one-time approval protections.
- Attacker swapped $10.5M USDC to ETH on Base before bridging to Ethereum.
- Matcha Meta disables affected contracts as security firms flag wider DeFi risks.
A security breach linked to SwapNet led to losses of about $16.8 million, affecting users interacting through Matcha Meta. The incident mainly impacted users who disabled one-time approvals, thereby exposing persistent token permissions.
Blockchain security firm PeckShieldAlert identified the exploit and traced the initial fund movements. The attacker targeted SwapNet router contracts that retained unlimited approvals from affected user wallets.
On the Base network, the attacker exchanged roughly $10.5 million in USDC for about 3,655 ether. Soon after, the attacker began bridging the converted assets to the Ethereum mainnet to complicate tracking.
SwapNet operates as a liquidity router used by Matcha Meta to source pricing and deep liquidity. The exploit involved abusing existing approvals rather than breaching private keys or core infrastructure.
Matcha Meta, built by the 0x team, confirmed the issue and immediately disabled affected SwapNet contracts. The platform also removed the option allowing users to grant direct approvals to third-party aggregators.
Investigation Expands as Security Firms Flag Wider Risks
Further analysis suggested the exploit stemmed from an arbitrary call vulnerability within SwapNet contracts. This flaw allowed attackers to transfer approved tokens without requesting new permissions.
Security firm BlockSec reported that multiple contracts across chains suffered losses exceeding $17 million. Affected networks included Ethereum, Arbitrum, Base, and BNB Chain, increasing the incident’s scope.
Separately, CertiK estimated that stolen funds near $13.3 million in USDC from related activity.
Some contracts involved remained closed-source and unverified at deployment.
Matcha Meta later confirmed that 0x core contracts were not affected by the incident.
Users relying on one-time approvals through 0x infrastructure remained unaffected.
The incident renewed scrutiny around persistent token approvals in decentralized finance.
Unlimited permissions offer convenience but increase exposure during smart contract failures.
Meanwhile, on-chain investigator ZachXBT criticized Circle’s delayed response to freeze remaining USDC. Roughly $3 million reportedly remained at addresses eligible for freezing during the response window.
The breach adds to a growing list of DeFi security failures early in 2026. Industry data shows stolen crypto funds reached record levels in recent years, increasing pressure on protocol security practices.
|
| DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing. |
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Zondacrypto Exchange Faces Allegations of Misappropriating $350 Million, CEO Publicly Denies
One of Poland’s largest cryptocurrency exchanges, Zondacrypto, announced on April 16 via social media that its CEO, Przemysław Kral, said the exchange could not access a wallet holding 4,503 bitcoins, worth more than $350 million in current value. Kral published the address of the wallet in question to rebut allegations of misappropriation, but this disclosure immediately triggered a large-scale withdrawal.
MarketWhisper9h ago
CryptoQuant: KelpDAO Exploit Triggers the Most Severe Crisis Since 2024, Aave TVL Plunges 33%
According to CryptoQuant’s assessment on April 23, the KelpDAO exploit attack that occurred last week created potential bad debt risk for Aave of $124 million to $230 million within 72 hours, with TVL crashing 33%. USDT and USDC borrowing rates jumped from 3.4% to 14%, and ETH borrowing rates rose to the highest level since January 2024 at 8%.
MarketWhisper10h ago
CoW DAO Proposes Discretionary Grant Program to Compensate Domain Hijacking Victims
Gate News message, April 24 — CoW DAO has proposed establishing a discretionary grant program to compensate users who suffered losses from the April 14 cow.fi domain hijacking incident. The program will provide up to 100% loss reimbursement through a one-time allocation from the legal defense
GateNews10h ago
Poland's Largest Exchange Faces $350M Swindling Allegations
Zondacrypto is facing allegations of fund misappropriation, as its CEO, Przemysław Kral, claims the exchange lost access to a wallet containing over 4,500 BTC. Kral stated that the wallet was sold to the exchange, but its former owner disappeared before delivering the private keys.
Key
Coinpedia12h ago
JPMorgan: DeFi Security Exploits and Stagnant TVL Limit Institutional Adoption
Gate News message, April 23 — JPMorgan analysts led by managing director Nikolaos Panigirtzoglou said that persistent decentralized finance (DeFi) exploits and weak growth continue to limit institutional interest in the sector. The recent Kelp DAO hack wiped approximately $20 billion from DeFi's tot
GateNews18h ago
