Recent security incident involving Matcha Meta’s SwapNet integration has resulted in the loss of an estimated $16.8 million in digital assets, according to blockchain security analysts. The exploit has raised renewed concerns about smart contract permissions, user approvals, and aggregator-level risks within decentralized finance.
Details of the SwapNet Security Breach
Attacker leveraged a vulnerability within SwapNet contracts to access funds that had been pre-approved through direct allowances. On-chain activity indicates that approximately _ $10.5 million in USDC on the Base network_ was swapped for around 3,655 ETH, before attempts were made to bridge the assets to Ethereum.
Security researchers identified the issue as an arbitrary call vulnerability, allowing malicious transactions to move tokens already authorized to the contract. Importantly, the exposure was limited to users who had disabled One-Time Approvals and instead relied on persistent allowances set at the aggregator level.
User Impact and Mitigation Measures
Matcha Meta stated that users who interacted using One Time Approval mechanisms were not affected. In response, the matcha has disabled SwapNet contracts and removed the option to grant direct aggregator allowances to prevent similar incidents.
This incident adds to a growing list of high-value exploits in the crypto sector. In 2025 alone, cryptocurrency theft exceeded $3.4 billion, highlighting the ongoing need for stronger permission controls and user awareness in decentralized applications.
The investigation remains ongoing, with further updates expected as on-chain analysis continues.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.