The recent security breach exploiting the SwapNet integration on the Matcha Meta platform has resulted in a sizeable financial loss, with estimates converging around $13.3 million in stolen USDC tokens. The incident took place over Sunday, January 25-26, 2026, impacting approximately 20 users, according to Matcha Meta’s disclosures. The majority of the funds were drained on the Base network before the attacker converted $10.5 million USDC into approximately 3,655 ETH and subsequently bridged the assets from Base to Ethereum. Public acknowledgment of the breach was made through a post on Matcha’s official X account, signaling transparency in the aftermath. SwapNet contracts were temporarily disabled during investigation as part of the remedial actions taken by the team to prevent further losses from the vulnerability. This incident illustrates the critical importance of continuous monitoring in maintaining security post-audit.
Security analyses from firms PeckShield and CertiK highlight a complex exploit rooted in a vulnerability within the SwapNet contract integration. This flaw permitted arbitrary contract calls which the attacker exploited by utilizing user-granted direct token allowances, particularly targeting wallets that had disabled the One-Time Approval feature. The vulnerability circumvented Matcha’s primary infrastructure as well as 0x protocol contracts, indicating a deficiency in the integration layer’s design rather than the core protocol. PeckShield and CertiK’s varying estimates—$16.8 million and $13.3 million, respectively—reflect differences in their on-chain accounting methodologies but consistently affirm the magnitude of the theft. The exploit involved arbitrary calls vulnerability that enabled unauthorized contract interactions.
PeckShield and CertiK reveal a SwapNet integration flaw enabling exploits via direct token allowances, exposing significant protocol risks.
Affected users were characterized by their direct allowances granted to SwapNet’s router contract, which functions as a routing node in Matcha Meta’s transactional network. Matcha Meta has emphasized that wallets employing the One-Time Approval safeguard remained unaffected, underscoring the importance of conservative token allowance management in decentralized finance. The platform has recommended immediate revocation of SwapNet router approvals and has removed direct allowance options to mitigate future risks.
This exploit underscores persistent vulnerabilities in aggregator integrations and token approval mechanisms, challenges that remain prevalent amid increasingly sophisticated DeFi attacks. With decentralized finance hacks accounting for over $3 billion in losses in 2025 alone, this event highlights the ongoing need for robust security audits and user awareness in protocol interactions. Furthermore, high-profile breaches like the $1.5 billion Bybit hack illustrate the broader market context and impact of DeFi vulnerabilities that continue to attract malicious actors.
