Matcha Meta, a major DEX aggregator built on 0x, has reported a serious security breach linked to its liquidity provider, Swapnet. Security firms say the attack drained up to $16.8 million in cryptocurrency from users.
The exploit targeted approvals that users had previously granted to Swapnet’s router contract for trading. Matcha Meta said users who turned off its “One-Time Approvals” feature and instead gave manual approvals were most at risk.
What Attackers Did With the Stolen Funds
On-chain research indicates that the attacker exchanged about 11 million USDC for 3,655 ETH on the Base network. After that, they started bridging the ETH from Base to Ethereum, which complicates recovery and monitoring.
Total loss estimates vary somewhat. According to PeckShield and other researchers, the amount taken was closer to $16.8 million; however, CertiK indicated that about $13.3 million had been taken.
Response From Matcha Meta and Swapnet
Matcha Meta said the root issue lies in Swapnet’s smart contract, not in its core infrastructure. After an alert from Matcha Meta and security researchers, the Swapnet team disabled its vulnerable contract to contain further damage.
Both Matcha Meta and security firms urged users to revoke any token approvals granted to Swapnet contracts as a safety step. Users who kept Matcha Meta’s one-time authorization system in place appear to have avoided direct losses, according to early reports.
The hack draws attention to the growing dangers of DeFi integrations, where a single flawed smart contract can affect multiple linked systems. With scores of cases documented in 2025, smart contract vulnerabilities were already the most common reason for Bitcoin breaches.
The Swapnet vulnerability is currently being investigated, and victims do not yet have a verified recovery strategy. Researchers and auditors are demanding stricter examination of third-party contracts before DeFi aggregators transfer user payments via them.
READ MORE: Solana Price Analysis: Why SOL Could Retest Lower Levels
