Quick Breakdown
- A major smart contract exploit targeting the SwapNet aggregator has resulted in the theft of approximately $16.8 million in cryptocurrency assets.
- The attack primarily affected Matcha Meta users who had manually disabled the “One-Time Approval” security feature, granting persistent permissions to the vulnerable SwapNet router.
- Security firms report that the attacker converted $10.5 million in USDC to ETH on the Base network before bridging funds to Ethereum to obfuscate the transaction trail.
The decentralized exchange (DEX) aggregator Matcha Meta reported a significant security breach on January 25, 2026, involving the third-party routing contract SwapNet. The exploit has led to a total loss of roughly $16.8 million as malicious actors capitalized on a vulnerability in SwapNet’s smart contract infrastructure. While Matcha’s core systems remain intact, the incident has highlighted the inherent risks of persistent token approvals in the DeFi landscape.
#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of “One-Time Approvals” are at risk.
So far, ~$16.8M worth of crypto has been drained.
On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF
— PeckShieldAlert (@PeckShieldAlert) January 26, 2026
One-time approvals fail to protect opted-out users
The Matcha Meta exploit, draining $16.8 million, affected a limited group of users who disabled the “0x One-Time Approval” security feature. By opting out, these users granted continuous approval to underlying aggregators, including the compromised SwapNet router, which became the attack vector.
On-chain data from PeckShield shows the attacker initially focused on the Base network, swapping approximately $10.5 million in $USDC for 3,655 $ETH before moving the stolen funds to the Ethereum mainnet via cross-chain bridges a common tactic to hinder asset recovery and bypass L2 monitoring.
Industry experts urge immediate approval revocation
The exploit serves as a stark reminder of the “invisible tax” of complexity in Web3, where the interaction between different protocols can create unforeseen security gaps. As DeFi continues to integrate more cross-chain and multi-chain interoperability features in 2026, the necessity for robust auditing and user-level security practices like one-time approvals has never been more critical.
Similarly, the Saga incident powerfully highlights the systemic risks inherent in decentralized finance, particularly concerning cross-chain operations. This attack led to the depegging of the Saga Dollar and a significant drop in Total Value Locked (TVL). While the community awaits the network’s restoration and fund recovery, the immediate focus is on implementing technical countermeasures and ongoing investigations to trace the stolen assets. The event forcefully underscores the critical necessity for robust protocol security and strengthening overall security frameworks to maintain long-term trust and resilience within the interconnected DeFi ecosystem.
If you would like to read more articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
