TLDR

Matcha Meta confirmed a security breach involving its SwapNet integration.
PeckShield reported that around 16.8 million dollars in assets were stolen.
The attacker converted 10.5 million dollars in USDC to 3655 ETH on Base.
CertiK identified the exploit as an arbitrary call vulnerability in SwapNet.
Matcha Meta said only users with direct contract allowances were affected.

Matcha Meta reported a security breach involving its SwapNet integration, leading to a multi-million dollar theft. Blockchain security firm PeckShield identified a loss of around $16.8 million, pointing to Base chain activity. CertiK later confirmed the exploit originated from a vulnerability in SwapNet’s smart contract.

PeckShield Flags $16.8M Loss on Base Chain

PeckShield detected the incident through on-chain analysis, confirming the attacker drained $16.8 million in digital assets. The firm highlighted that $10.5 million in USDC was converted into 3,655 ETH through Base. The attacker began moving the stolen ETH to Ethereum through bridging services.

#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of “One-Time Approvals” are at risk.

So far, ~$16.8M worth of crypto has been drained.

On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF

— PeckShieldAlert (@PeckShieldAlert) January 26, 2026

PeckShield said, “The attacker exploited approvals set on SwapNet to execute unauthorized transfers.”

This method allowed direct control over user funds without triggering standard warnings. On-chain movement matched this pattern across multiple wallet addresses, confirming the exploit strategy.

CertiK earlier reported $13.3 million in USDC losses, identifying a vulnerability that enabled arbitrary contract calls. The attacker took advantage of direct token allowances set by some users. This flaw let them bypass permission checks and access funds directly.

1/ The vulnerability seems to be in arbitrary call in @0xswapnet contract that let attacker to transfer funds approved to it. (https://t.co/B7ux5zzMLS)

The team have temporarily disabled their contracts is actively investigating.https://t.co/NBNvzxHCRw

Please revoke approval…

— CertiK Alert (@CertiKAlert) January 26, 2026

Matcha Meta Confirms Scope and Source of Exposure

Matcha Meta acknowledged the breach but stated it affected only users with manual approvals on aggregator contracts. In a public statement, the team confirmed that users with One-Time Approval remained secure. “Only those who bypassed the One-Time Approval system were exposed,” the statement read.

The company later clarified that the issue did not involve 0x protocol contracts like AllowanceHolder or Settler. This detail followed collaboration with 0x’s internal team to confirm the cause. Matcha Meta emphasized that affected users had accepted elevated risks by customizing contract permissions.

To prevent future misuse, the team disabled the option to set individual allowances on aggregator contracts. The company stated, “We have removed the ability for users to set allowances on aggregators directly.” This change aims to prevent direct exposure to third-party aggregator risks.

Crypto Thefts Continue as Matcha Meta Investigates

Matcha Meta has not yet issued another formal update regarding fund recovery or specific user reimbursements. This incident adds to 2025’s mounting crypto thefts, which reached $3.41 billion according to Chainalysis data. A $1.5 billion breach at Bybit contributed nearly half of that year’s total losses. Analysts attributed much of the theft to North Korea-linked actors, who stole $2.02 billion during the year.

Crypto platforms face growing risks as exploits target smart contracts and user allowances. Security firms urge users to review token permissions and disable unnecessary approvals.

The post Matcha Meta Hit by $16.8M SwapNet Exploit, PeckShield Traces Funds appeared first on CoinCentral.

---

Filed under: News - @ January 26, 2026 5:25 pm