A new technical write-up from BlockSec analyzed suspicious transactions impacting contracts tied to SwapNet and Aperture Finance across Ethereum, Arbitrum, Base, and BSC, with total losses described as exceeding $17 million.

BlockSec’s analysis frames both incidents as variations of the same pattern: contracts exposed an arbitrary-call capability because of insufficient input validation, which let attackers abuse existing user approvals and trigger token transfers via transferFrom.

What BlockSec Says Was the Root Cause

BlockSec describes the high-level issue as straightforward: user-controlled low-level calls combined with weak validation in contracts that were already holding token approvals.

In the SwapNet case, BlockSec says a decompiled function identified as 0x87395540() appears to accept user-supplied inputs without properly validating critical parameters. The write-up explains that an attacker could swap the expected router or pool address with a token address, causing the contract to treat the token as an execution target and perform a low-level call with attacker-controlled calldata, which then results in approvedAsset.transferFrom(victim, attacker, amount).

In the Aperture Finance case, BlockSec says a function identified as 0x67b34120() follows an intended minting workflow but calls an internal function 0x1d33() that executes a user-controlled low-level call without strict constraints on call target or selector. BlockSec notes this can siphon not only ERC-20 tokens but also approved Uniswap V3 position NFTs, since the victim contract can be coerced into calling transfer logic in the context of the approved spender.

What Was Exploited

SwapNet: approvals plus a permissive call path

Matcha Meta’s post-mortem explains that a subset of users became exposed by disabling “One-Time Approval” and approving SwapNet contracts directly, including the address 0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e. In its incident summary, Matcha Meta reports $13.43M in losses for 20 users and notes that some external outlets quoted $16.8M because they bundled in a separate Aperture incident, as described in the SwapNet incident post-mortem.

The same post-mortem provides a Base transaction anchor for the exploit wave, highlighting the initial drain transaction 0xc15df1d131e98d24aa0f107a67e33e66cf2ea27903338cc437a3665b6404dd57.

BlockSec’s report estimates the SwapNet incident at roughly $13.41M across chains and uses that Base transaction as a representative example while reconstructing the vulnerable call path from decompiled bytecode.

Aperture Finance: approvals plus swap logic that could be redirected

BlockSec highlights the Aperture victim contract address 0xD83d960deBEC397fB149b51F8F37DD3B5CFA8913 and analyzes an Ethereum exploit transaction 0x8f28a7f604f1b3890c2275eec54cd7deb40935183a856074c0a06e4b5f72f25ain its attack-flow reconstruction.

BlockSec estimates Aperture losses at roughly $3.67M across multiple chains in the same write-up and notes a key design gap: validation seemed to focus on the approval spender while failing to validate the actual execution target used in the low-level call.

Why the “Closed Source” Angle Is Catching Fire

BlockSec explicitly says both victim contract families were closed source and decompiled into thousands of lines with deeply nested branching logic, which made analysis harder even though the underlying issue was simple.

That matters because security review and collective scrutiny are constrained when:

external auditors cannot reason about intent and invariant checks from readable source
n- developers rely on obscurity rather than guardrails
integrations ship faster than independent review cycles

The market takeaway is that closed-source contracts can still be secure, but they must compensate with stricter constraints, clearer external interfaces, and stronger monitoring because community review is limited.

Practical Takeaways for Developers and Auditors

Treat “arbitrary call” as a red-flag feature

Allowing user-supplied call targets and calldata is a high-risk pattern. If a protocol needs extensibility, a safer baseline is:

enforce an allowlist of call targets and function selectors
validate calldata structure and length
restrict calls to known routers with known interfaces
block token contracts as call targets unless there is an explicit, validated reason

Approvals should not be assumed safe by default

SwapNet’s exploit path relied on users granting direct approvals. Matcha Meta’s response was to remove optionality that let users bypass the more secure route and disable the toggle that turned off one-time approvals, as described in its post-mortem.

For products that must accept approvals, the safest posture is to reduce their power:

prefer one-time approvals or constrained allowance flows
keep the approval spender fixed and tightly controlled
avoid routing approvals to contracts that can execute arbitrary external calls

Monitoring should focus on call target anomalies

BlockSec’s reconstruction suggests the exploit begins when a routing target is replaced with a token address, which is a pattern that is measurable. Runtime monitoring can flag abnormal targets and selectors before funds drain at scale.

What to Watch Next

The most useful follow-through is technical confirmation of scope.

BlockSec’s report is the primary anchor for the root cause and includes chain scope and representative transactions in its incident analysis. Matcha Meta’s post-mortem adds user-exposure framing and concrete Base transaction.

If similar contracts share the same input-validation weakness, the next signals are copycat exploit attempts, rapid contract pauses, and a wave of revoke-approval guidance from related integrators.

Conclusion

BlockSec’s analysis argues that the SwapNet and Aperture incidents share a simple and repeatable root cause: user-controlled low-level calls with insufficient validation inside contracts that already had token approvals. The detail that amplifies the narrative is not complexity. It is that closed-source, hard-to-review code paths turned a basic design hazard into a multi-chain loss event.

The post BlockSec Links SwapNet and Aperture Losses to Closed-Source Arbitrary-Call Pattern appeared first on Crypto Adventure.

---

Filed under: Bitcoin - @ January 28, 2026 9:27 am