Matcha Meta Breach: $16.8 Million Stolen via SwapNet Exploit
A recent security breach has hit decentralized exchange aggregator Matcha Meta, resulting in the theft of approximately $16.8 million in crypto assets. The incident occurred on Sunday and was attributed to a vulnerability in SwapNet, one of the liquidity providers integrated into the platform. According to Matcha Meta, the breach did not affect the platform’s core infrastructure, but rather exploited a weakness in the SwapNet contract.
Matcha Meta addressed the issue in a post, stating: “We are aware of an incident involving SwapNet that users on Matcha Meta may have been exposed to if they had one-time permissions disabled. We are in contact with the SwapNet team and they have temporarily disabled their contracts. The team is actively conducting research and will provide updates.”
The breach highlights the importance of revoking access to contracts that are no longer in use. Matcha Meta urged affected users to immediately revoke permissions related to SwapNet’s router contract, warning that failure to do so could leave wallets vulnerable to further unauthorized transfers.
How the Hackers Exploited the Vulnerability
Blockchain security firms, such as PeckShield and CertiK, quickly began tracking the exploit as funds moved on-chain. According to PeckShield, a total of approximately $16.8 million was siphoned off, with the attacker exchanging about $10.5 million in USDC for about 3,655 ETH on the Base network before beginning to bridge assets to Ethereum. CertiK reported suspicious transactions and identified a wallet that withdrew approximately $13.3 million in USDC on Base and converted the funds into wrapped Ether.
Both firms pointed to a vulnerability in the SwapNet contract that allowed arbitrary calls and enabled the attacker to transfer tokens that users had previously approved. Matcha later clarified that the incident was not related to 0x’s AllowanceHolder or Settler contracts, which underlie the one-time approval system.
Old Token Permissions: A Persistent DeFi Vulnerability
The breach highlights a recurring tension between flexibility and security in DeFi. While necessary for interacting with smart contracts, token permissions have long been a vulnerability, particularly when permissions remain active long after a transaction has been completed. In this case, previously granted certificates became the avenue for the exploit once the SwapNet contract was compromised.
According to SlowMist’s year-end report, smart contract vulnerabilities accounted for just over 30% of crypto exploits in 2025, making them the leading cause of losses. Researchers have also warned that advances in artificial intelligence are accelerating the speed at which attackers can identify and exploit vulnerabilities in on-chain code.
For more information on the Matcha Meta breach, visit https://cryptonews.com/news/matcha-meta-16-8m-swapnet-exploit-users-warned/
