Matcha Meta Breach Results in $16.8M Loss from SwapNet Exploit — Users Advised to Revoke Access

A security incident linked to the decentralized exchange aggregator Matcha Meta has led to the loss of approximately $16.8 million in cryptocurrency, contributing to an increasing list of smart-contract vulnerabilities that are continuously challenging the security expectations of DeFi participants.

The event occurred on Sunday and was traced back not to the core infrastructure of Matcha, but rather to SwapNet, one of the liquidity providers integrated with the platform.

Matcha Meta publicly acknowledged the situation in a post on X, indicating that users who had disabled the “One-Time Approval” feature and granted direct token allowances to specific aggregator contracts might have been at risk.

We are aware of an incident involving SwapNet that may have exposed users on Matcha Meta who disabled One-Time Approvals.
We are in communication with the SwapNet team, and they have temporarily halted their contracts.
The team is actively investigating and will provide…

— Matcha Meta (@matchametaxyz) January 25, 2026

The protocol advised impacted users to promptly revoke approvals linked to SwapNet’s router contract, cautioning that neglecting to do so could expose wallets to additional unauthorized transfers.

$17M Disappears Instantly: How Matcha Hackers Transferred Funds to Ethereum

Blockchain security firms rapidly began monitoring the exploit as funds transitioned on-chain.

PeckShield reported that approximately $16.8 million had been siphoned off, with the attacker exchanging around $10.5 million in USDC for approximately 3,655 ETH on the Base network before initiating the transfer of assets to Ethereum.

#PeckShieldAlert Matcha Meta has announced a security breach involving SwapNet. Users who opted out of “One-Time Approvals” are in jeopardy.
So far, approximately $16.8 million worth of crypto has been drained.
On #Base, the attacker swapped around $10.5M $USDC for roughly 3,655 $ETH and has started bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF

— PeckShieldAlert (@PeckShieldAlert) January 26, 2026

CertiK independently flagged unusual transactions, identifying one wallet that extracted about $13.3 million in USDC on Base and converted the assets into wrapped Ether.

Both firms pointed to a flaw in the SwapNet contract that permitted arbitrary calls, allowing the attacker to transfer tokens that users had previously granted approval for.

1/ The vulnerability appears to be in an arbitrary call within the @0xswapnet contract that enabled the attacker to transfer funds that were approved to it. (https://t.co/B7ux5zzMLS)
The team has temporarily deactivated their contracts and is actively investigating. https://t.co/NBNvzxHCRw
Please revoke approval…

— CertiK Alert (@CertiKAlert) January 26, 2026

Matcha later clarified that the incident was not related to 0x’s AllowanceHolder or Settler contracts, which support its One-Time Approval mechanism.

The team indicated that users who engaged with Matcha through One-Time Approvals were not impacted, as this design restricts how much access a third-party contract can maintain.

After discussions with 0x’s protocol team, we have confirmed that the nature of the incident was not connected to 0x’s AllowanceHolder or Settler contracts.
Users who have interacted with Matcha Meta via One-Time Approval are therefore secure.
Users who have disabled One-Time… https://t.co/VQVmj4LL0F

— Matcha Meta (@matchametaxyz) January 25, 2026

The exposure, the team stated, only affected users who opted out of that system and provided ongoing allowances directly to aggregator contracts. In response, Matcha has eliminated the option for users to set such direct approvals in the future.

Legacy Token Approvals Resurface as a Recurring DeFi Vulnerability

The breach underscores an ongoing conflict in DeFi between flexibility and security. Token approvals, while essential for engaging with smart contracts, have long been a vulnerable point, especially when permissions remain active long after a transaction is finalized.

In this instance, previously granted allowances became the route for the exploit once the SwapNet contract was compromised.

The incident occurs amid ongoing concerns about smart-contract security throughout the cryptocurrency industry.

SlowMist’s year-end report reveals that vulnerabilities in smart contracts constituted just over 30% of crypto exploits in 2025, making them the primary cause of losses.

Source: SlowMist

Researchers have also cautioned that advancements in artificial intelligence are expediting how rapidly attackers can pinpoint and exploit vulnerabilities in on-chain code.

While overall cryptocurrency losses decreased in December, plummeting about 60% month-on-month to around $76 million, security firms warned that the decline did not signify a structural improvement.

Crypto-related losses from hacks and cyber security incidents sharply decreased in December, falling 60% month-on-month to about $76 million. #Crypto #Hack https://t.co/mke6K8sLVQ

— Cryptonews.com (@cryptonews) January 2, 2026

PeckShield noted that a single address-poisoning scam accounted for $50 million of December’s losses, demonstrating how concentrated and severe individual incidents can be even during quieter times.

January has already seen several significant exploits. IPOR Labs confirmed a $336,000 attack on its USDC Fusion Optimizer vault on Arbitrum, while Truebit reported a smart-contract incident that on-chain analysts estimate drained over 8,500 ETH, resulting in a near-total collapse in the project’s token value.

Last week, the Layer-1 network Saga paused its SagaEVM chain after an exploit transferred nearly $7 million in assets to Ethereum.

The post Matcha Meta Breach Drains $16.8M via SwapNet Exploit — Users Urged to Revoke Access appeared first on Cryptonews.