What Happened and Who Is Affected?
Decentralized exchange aggregator Matcha Meta disclosed a security breach on Sunday after one of its primary liquidity providers, SwapNet, was exploited through a smart-contract vulnerability. The incident adds to a growing list of attacks that have targeted approval-based router contracts across DeFi.
In a post on X, Matcha Meta warned that users who had previously granted token approvals to SwapNet’s router contract could be exposed. The protocol urged affected users to revoke all approvals tied to the router to limit further losses. Matcha Meta said the issue was connected to SwapNet rather than its own infrastructure.
Loss estimates differ among security firms. CertiK put the figure at roughly $13.3 million, while PeckShield reported higher losses of at least $16.8 million on the Base network. PeckShield added that the attacker had already converted a large share of the proceeds and started moving funds off-chain.
“So far, ~$16.8M worth of crypto has been drained. On Base, the attacker swapped ~10.5M USDC for ~3,655 ETH and has begun bridging funds to Ethereum,” PeckShield wrote in a Monday X post, again urging users to revoke approvals connected to the protocol.
Investor Takeaway
How the Exploit Worked
According to CertiK, the breach stemmed from an arbitrary call vulnerability in the SwapNet contract that allowed the attacker to move funds previously approved to the router. This type of flaw does not require compromising user wallets directly. Instead, it abuses permissions that users had already granted during routine trading activity.
That distinction matters for understanding the scope of risk. Users who never interacted with SwapNet’s router contract are unlikely to be affected, while those who approved tokens in the past may still be vulnerable until approvals are revoked. Matcha Meta emphasized that the exposure was confined to SwapNet’s router and did not involve a compromise of Matcha Meta’s own systems.
As of publication, Matcha Meta had not commented on whether affected users would be compensated or whether additional safeguards would be introduced. The lack of immediate clarity reflects a broader pattern in DeFi incidents, where responsibility can be blurred across aggregators, liquidity providers, and underlying smart contracts.
Why Smart-Contract Attacks Keep Dominating Losses
The SwapNet exploit follows a string of recent smart-contract incidents. Earlier this month, an attack on the offline computation protocol Truebit resulted in $26 million in losses and triggered a near-total collapse in the TRU token’s price. Together, these cases highlight how contract-level flaws can translate quickly into user losses and market disruption.
Data from SlowMist’s year-end report shows that smart-contract vulnerabilities were the leading cause of crypto losses in 2025, accounting for 30.5% of all exploits across 56 incidents. Account takeovers and compromised social-media accounts ranked second, at 24%.
For attackers, smart contracts offer scale. A single flaw can expose funds from thousands of users who have approved a contract, creating large payouts without the need to target individuals one by one. For users, the risk is less visible, since approvals often persist long after a trade is completed.
Investor Takeaway
The Role of AI in Finding Vulnerabilities
Security researchers say advances in artificial intelligence are changing how contract weaknesses are discovered, for both defenders and attackers. In December, commercially available generative AI tools identified an estimated $4.6 million in exploitable smart-contract flaws across existing protocols.
These findings suggest that vulnerability discovery is becoming faster and cheaper. While that can help auditors and white-hat researchers, it also lowers the barrier for malicious actors to scan deployed contracts for weaknesses that may have gone unnoticed during initial audits.
For DeFi platforms, this environment raises the bar for ongoing monitoring. Audits conducted before launch may no longer be sufficient when contracts remain live for months or years, accumulating user approvals and value along the way.
What Comes Next for Users and Protocols
In the short term, the immediate action for affected users is clear: revoke all token approvals linked to SwapNet’s router contract. Tools for reviewing and canceling approvals have become a standard part of DeFi risk management, yet many users still overlook them.
