Security experts report varying damage estimates and highlight the risks of direct smart contract authorizations.

Hackers Steal Up to $16.8M Through SwapNet

26.01.2026 - 10:35

314

2 min

Key points:

  • Matcha Meta was targeted due to a vulnerability in the SwapNet contract, allowing hackers to steal millions of dollars.
  • Estimates of the losses vary, but experts agree the root cause was an insecure authorization model.

The decentralized exchange aggregator Matcha Meta faced a serious security issue, as the attacker exploited a flaw during the SwapNet integration to withdraw a large sum.

Source: X.com

Right after the incident, cybersecurity firms began publishing their own damage estimates. Their conclusions varied, adding uncertainty about the full scope of the attack. Some USDC assets were moved from the Base network to Ethereum, while Matcha Meta remained largely silent on the status of users’ funds.

How the SwapNet Attack Was Detected

The first warning came from blockchain analytics firm PeckShield, which reported that the hacker had stolen around $16.8M. Analysis showed the attacker converted $10.5M in USDC on the Base network into roughly 3,655 ETH and quickly transferred it to Ethereum. The rapid pace of transactions suggested an automated attack script.

Source: X.com

Later, security firm CertiK estimated the losses at about $13.3M. According to CertiK, the root cause was a SwapNet smart contract vulnerability that allowed arbitrary function calls. The difference in figures is explained by additional bridge transactions and differing calculation methods.

In its initial statement, Matcha Meta emphasized that users who used single-use transaction approvals were not affected. According to the team, the risk only applied to users who directly authorized smart contracts. Based on this, the project attempted to limit the scale of the incident.

Following the attack, Matcha Meta launched an internal investigation in collaboration with the 0x team. Developers clarified that the incident did not affect the AllowanceHolder or Settler contracts from 0x. They also acknowledged that direct authorization of aggregator contracts creates additional risks for users. As a result, the function was disabled to reduce the likelihood of similar incidents in the future.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy