The swap and bridge aggregation platform built by 0x, Matcha Meta, has lost $16.8 million in digital assets due to a SwapNet security breach, according to Web3 security platform PeckShield.
Matcha Meta disclosed on Monday that it suffered a security exploit over the weekend, where attackers swindled tokens from an external aggregator integrated into Matcha Meta’s interface called SwapNet. The platform said users who disabled its “One-Time Approvals” feature and granted direct token permissions to individual aggregators were at risk of losing their funds.
In the swap aggregator’s statement on X, MM said it became aware of suspicious activity after records of large, unauthorized token movements from SwapNet’s router contract appeared on transactional records. The platform confirmed it had contacted the SwapNet team, which “temporarily disabled its contracts” to prevent more losses.
Matcha Meta hacker swapped 3k Ether coins from victims
According to the blockchain security firm PeckShield, the attacker drained funds via token approvals and swaps. They moved approximately 10.5 million USDC from victim addresses on the Base, an Ether layer-2 blockchain, then swapped the stablecoins for 3,655 Ether, consolidating value into a more liquid asset.
After completing the swaps, the attacker began bridging the Ether from Base to the Ethereum mainnet to hide any transaction trails. Bridging is the process of transferring assets between blockchains using smart contracts or intermediary protocols. Although it is considered “legitimate” in most cases, hackers use it because it makes it nearly impossible to track their operations.
The perpetrator had previously granted token allowances to move funds without the user’s signature, which grants permission for a smart contract to spend their tokens. If an allowance is set to unlimited, a malicious or compromised contract can drain funds until the balance is depleted.
Matcha Meta said users who interacted with the platform using its One-Time Approval system were not impacted. That feature routes token permissions through 0x’s AllowanceHolder and Settler contracts, limiting a trader’s exposure by granting approvals for a single transaction.
“After reviewing with 0x’s protocol team, we have confirmed that the nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts,” Matcha Meta wrote on X later on. The company added that users who disabled One-Time Approvals and set direct allowances on aggregator contracts “assume the risks of each aggregator.”
The DEX swap platform removed the function for users to set direct allowances on aggregators through its interface, while asking the community to revoke any existing permissions on SwapNet’s router contract.
DeFi smart contract hacks persist in 2026
The Matcha Meta incident comes just six days after Makina Finance, a decentralized finance protocol with automated execution features, suffered a network breach that drained its DUSD/USDC liquidity pool on Curve.
As reported by Cryptopolitan, hackers extracted about 1,299 Ether from Makina’s Curve stablecoin pool, worth $4.13 million at the time. The breach involved non-custodial liquidity providers connected to an on-chain pricing oracle, a data feed used by smart contracts to determine asset values.
Per the blockchain analytics firm Elliptic, much of today’s dark web money laundering involves coin swap services, including instant exchanges that run through standalone websites or Telegram channels.
Last year, the decentralized exchange aggregator CoWSwap reported a breach that resulted in losses of more than $180,000. About $180,000 worth of DAI was stolen through CoWSwap’s trade execution GPv2Settlement smart contract.
The platform said the compromised contract had access only to protocol fees collected over one week, stemming from the exploitation of a solver account. In CoWSwap’s model, users sign trade intents that are passed to third-party solvers, which compete to provide the best prices and store collected fees.
If you’re reading this, you’re already ahead. Stay there with our newsletter.
Source: https://www.cryptopolitan.com/matcha-meta-security-breach-16-8m-drained/
