Matcha Meta users hit as swapnet hack exploits permanent token approvals to steal $16.8 million

Users interacting through Matcha Meta have been hit by the swapnet hack, which abused risky token approvals to steal funds from exposed wallets.

Attack drains $16.8 million via exposed approvals

Blockchain security firm PeckShieldAlert first flagged a major security incident involving SwapNet that impacted Matcha Meta users. Attackers abused existing token permissions and ultimately drained $16.8 million in crypto from affected wallets. However, the core issue stemmed from how approvals were configured, not from a direct exploit in Matcha Meta’s code.

According to PeckShieldAlert, the breach targeted users who had altered their default Matcha Meta security settings. Instead of relying on safer, temporary permissions, these users had granted broader and more persistent access to protocol contracts, leaving assets vulnerable once an attacker discovered the exposure.

How the SwapNet exploit was executed

Matcha Meta offers a One-Time Approval system that limits token access to a single transaction. This design helps contain risk by ensuring that, after execution, smart contracts no longer have ongoing authority over the user’s tokens. Moreover, it forces a fresh approval before any new spending can occur.

However, some users disabled the one time approval disabled protection and instead granted direct, long-term allowances to individual aggregator contracts. These persistent approvals were linked to SwapNet, effectively giving its contracts continuous access to user funds across multiple transactions without additional confirmations.

Attackers then targeted those permanent token approvals. Once a wallet had approved the SwapNet-related contracts, the hacker could move tokens at will, without needing new signatures from the victim. That said, this allowed entire balances to be drained quietly, as no fresh on-chain approval prompts were required from users.

In practical terms, the swapnet hack turned these broad allowances into a direct attack vector. Approvals that were meant for convenient trading became a tool for unauthorized fund transfers after the contracts were compromised or misused.

On-chain traces on Base and Ethereum

On-chain data reveals that the attacker focused heavily on the Base network. Roughly $10.5 million in USDC was swapped for about 3,655 ETH, according to early analyses. Moreover, the timing and pattern of swaps suggest a coordinated attempt to quickly convert and redistribute the stolen stablecoins.

Shortly after the initial swaps, the attacker began base network bridging, moving funds from Base to Ethereum. Bridging is a common technique used by on-chain thieves to complicate tracking and mix transaction histories across multiple chains, making law enforcement and analytics efforts more challenging.

Additional transaction records show large USDC transfers exceeding $13 million and direct interactions with Uniswap V3 liquidity pools. Furthermore, PeckShieldAlert’s peckshieldalert breach report estimates that the cumulative impact reached approximately $16.8 million in stolen assets after aggregating activity across the involved addresses.

Matcha Meta and SwapNet reaction

Matcha Meta publicly acknowledged the incident and stated that it is collaborating closely with the SwapNet team. As an immediate containment measure, SwapNet temporarily disabled its contracts to halt further exploitation and reduce the risk of additional wallets being drained.

Furthermore, Matcha Meta removed the option for users to set direct aggregator allowances, which had created the opening for the attack. The change aims to ensure that future trading activity relies on more restrictive approval patterns, reducing the blast radius if a similar incident occurs again.

The platform also urged users to revoke token approvals that fall outside of 0x‘s own One-Time Approval contracts. In particular, Matcha Meta highlighted allowances linked to SwapNet’s router contract, which have now been identified as a key risk factor in the breach.

Ongoing investigation and user protection

Investigations into the breached wallets and associated contracts remain ongoing. Both Matcha Meta and SwapNet have pledged to provide continuous updates as they track the movement of the stolen funds and engage with security researchers. However, recovering assets in such on-chain incidents often proves difficult once funds are laundered across multiple protocols.

For now, the teams are concentrating on limiting further exposure and guiding users on safe practices. That said, the episode underlines how powerful token approvals can become a liability when misused or left unchecked, especially once a swapnet router compromised scenario emerges.

In summary, the breach shows that configuration choices around approvals are as critical as smart contract code. Users who rely on restrictive, one-time permissions and routinely audit their allowances are better positioned to withstand similar exploits targeting DeFi aggregators.