Matcha Meta Breach Drains $16.8M via SwapNet Exploit âEUR" Users Urged to Revoke Access

Matcha Meta Breach Drains $16.8M via SwapNet Exploit âEUR... Decentralized exchange Matcha Meta lost $16.8M through a SwapNet smart-contract exploit, prompting urgent warnings for users to revoke token approvals immediately and secure their wallets against further losses. The post Matcha Meta Breach Drains $16.8M via SwapNet Exploit âEUR" Users Urged to Revok... A security breach tied to decentralized exchange aggregator Matcha Meta has resulted in the theft of roughly $16.8 million in crypto assets, adding to a growing list of smart-contract exploits that continue to test the safety assumptions of DeFi users.The incident unfolded on Sunday and was traced not to MatchaâEUR(TM)s core infrastructure, but to SwapNet, one of the liquidity providers integrated into the platform.Matcha Meta disclosed the issue publicly in a post on X, saying users who had disabled its âEUR?"One-Time ApprovalâEUR feature and instead granted direct token allowances to individual aggregator contracts may have been exposed. We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time ApprovalsWe are in contact with the SwapNet team and they have temporarily disabled their contractsThe team is actively investigating and will provideâEUR¦- Matcha Meta (@matchametaxyz) January 25, 2026 The protocol urged affected users to immediately revoke approvals connected to SwapNetâEUR(TM)s router contract, warning that failure to do so could leave wallets vulnerable to further unauthorized transfers. $17M Vanishes in Seconds: How Matcha Hackers Slipped Funds Onto EthereumBlockchain security firms quickly began tracking the exploit as funds moved on-chain. PeckShield reported that approximately $16.8 million had been drained in total, with the attacker swapping around $10.5 million in USDC for roughly 3,655 ETH on the Base network before starting to bridge assets to Ethereum. #PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of "One-Time Approvals" are at risk.So far, ~$16.8M worth of crypto has been drained.On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds toâEUR¦ https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF- PeckShieldAlert (@PeckShieldAlert) January 26, 2026 CertiK independently flagged suspicious transactions, identifying one wallet that siphoned about $13.3 million in USDC on Base and converted the funds into wrapped Ether. Both firms pointed to a vulnerability in the SwapNet contract that allowed arbitrary calls, enabling the attacker to transfer tokens that users had previously approved. 1/ The vulnerability seems to be in arbitrary call in @0xswapnet contract that let attacker to transfer funds approved to it. (https://t.co/B7ux5zzMLS) The team have temporarily disabled their contracts is actively investigating.https://t.co/NBNvzxHCRwPlease revoke approvalâEUR¦- CertiK Alert (@CertiKAlert) January 26, 2026 Matcha later clarified that the incident was not connected to 0xâEUR(TM)s AllowanceHolder or Settler contracts, which underpin its One-Time Approval system. The team noted that users who interacted with Matcha using One-Time Approvals were not affected, as this design limits how much access a third-party contract can retain. After reviewing with 0x's protocol team, we have confirmed that the nature of the incident was not associated with 0x's AllowanceHolder or Settler contracts.Users who have interacted with Matcha Meta via One-Time Approval are thus safe. Users who have disabled One-TimeâEUR¦ https://t.co/VQVmj4LL0F- Matcha Meta (@matchametaxyz) January 25, 2026 The exposure, the team said, applied only to users who opted out of that system and granted ongoing allowances directly to aggregator contracts. In response, Matcha has removed the option for users to set such direct approvals going forward.Old Token Approvals Emerge as a Persistent DeFi Weak SpotThe breach highlights a recurring tension in DeFi between flexibility and safety. Token approvals, while necessary for interacting with smart contracts, have long been a weak point, particularly when permissions remain active long after a transaction is completed.In this case, previously granted allowances became the pathway for the exploit once the SwapNet contract was compromised.The incident arrives amid continued concerns over smart-contract security across the crypto sector.SlowMistâEUR(TM)s year-end report shows that vulnerabilities in smart contracts accounted for just over 30% of crypto exploits in 2025, making them the leading cause of losses. Source: SlowMistResearchers have also warne...