Decentralized exchange aggregator Matcha Meta has confirmed a security incident linked to its SwapNet integration, resulting in an estimated $16.8 million loss.
The breach was first flagged by blockchain security firm PeckShield, with further technical analysis later provided by CertiK.
What Went Wrong
According to findings shared by security researchers, the exploit specifically impacted users who had disabled Matcha Meta’s “One-Time Approval” feature. By opting out, those users granted persistent permissions directly to the SwapNet router contract, creating an attack surface that was later abused.
#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of "One-Time Approvals" are at risk.
So far, ~$16.8M worth of crypto has been drained.
On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF
— PeckShieldAlert (@PeckShieldAlert) January 26, 2026
CertiK identified the root cause as an “arbitrary call” vulnerability in the SwapNet contract. This flaw allowed an attacker to initiate unauthorized transfers from wallets that had previously approved the router, effectively bypassing normal safeguards.
Fund Movement and Scope
On-chain activity shows the attacker swapped approximately $10.5 million in USDC on Base for around 3,655 ETH, before bridging the assets to Ethereum. The cross-chain movement appears designed to complicate tracking and recovery efforts.
Importantly, the incident did not affect all Matcha users. Exposure was limited to wallets that had manually disabled one-time approvals and granted direct permissions to SwapNet contracts.
Emergency Response Measures
In response to the exploit, Matcha Meta has taken several immediate steps:
- SwapNet contracts have been suspended to prevent further losses.
- Users have been urged to revoke existing approvals, particularly for the SwapNet router contract
(0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e). - The platform has removed the option to disable one-time approvals, aiming to reduce similar risks going forward.
The incident highlights the security trade-offs associated with persistent contract approvals and reinforces the importance of regular permission reviews, especially when interacting with aggregators and routing contracts.
