Matcha Meta sees $16.8 million drained in SwapNet incident: PeckShield
Matcha Meta reported a security incident involving its SwapNet integration, resulting in an estimated $16.8 million loss of user funds.Summary
Decentralized exchange aggregator Matcha Meta experienced a security incident related to its SwapNet integration on Sunday, leading to a significant drain of user funds. PeckShield estimated the loss at approximately $16.8 million, based on on-chain data showing an attacker swapping USDC on Base for ETH before bridging to Ethereum. CertiK reported a slightly lower estimate of $13.3 million, attributing the exploit to an "arbitrary call" vulnerability in the SwapNet contract.
Matcha Meta clarified that the exposure was limited to users who had disabled One-Time Approvals and set direct allowances on individual aggregator contracts; users relying on One-Time Approval were unaffected. The project later confirmed the issue was not with 0x's AllowanceHolder or Settler contracts. In response, Matcha Meta removed the ability for users to set direct allowances on aggregators to prevent recurrence. The incident occurs amidst rising cryptocurrency theft, which totaled over $3.41 billion in 2025.
(Source:The Block)