Hackers Steal Up to $16.8M Through SwapNet
Security experts report varying damage estimates and highlight the risks of direct smart contract authorizations.
26.01.2026 - 10:35
314
2 min
0
Key points:
- Matcha Meta was targeted due to a vulnerability in the SwapNet contract, allowing hackers to steal millions of dollars.
- Estimates of the losses vary, but experts agree the root cause was an insecure authorization model.
The decentralized exchange aggregator Matcha Meta faced a serious security issue, as the attacker exploited a flaw during the SwapNet integration to withdraw a large sum.
Right after the incident, cybersecurity firms began publishing their own damage estimates. Their conclusions varied, adding uncertainty about the full scope of the attack. Some USDC assets were moved from the Base network to Ethereum, while Matcha Meta remained largely silent on the status of users’ funds.
How the SwapNet Attack Was Detected
The first warning came from blockchain analytics firm PeckShield, which reported that the hacker had stolen around $16.8M. Analysis showed the attacker converted $10.5M in USDC on the Base network into roughly 3,655 ETH and quickly transferred it to Ethereum. The rapid pace of transactions suggested an automated attack script.
Later, security firm CertiK estimated the losses at about $13.3M. According to CertiK, the root cause was a SwapNet smart contract vulnerability that allowed arbitrary function calls. The difference in figures is explained by additional bridge transactions and differing calculation methods.
In its initial statement, Matcha Meta emphasized that users who used single-use transaction approvals were not affected. According to the team, the risk only applied to users who directly authorized smart contracts. Based on this, the project attempted to limit the scale of the incident.
Following the attack, Matcha Meta launched an internal investigation in collaboration with the 0x team. Developers clarified that the incident did not affect the AllowanceHolder or Settler contracts from 0x. They also acknowledged that direct authorization of aggregator contracts creates additional risks for users. As a result, the function was disabled to reduce the likelihood of similar incidents in the future.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026


Telegram
Twitter