SwapNet exploit highlights smart contract risks as crypto theft tops $3.41B, driven by cross-chain moves and weak approvals.
Decentralized exchange aggregator Matcha Meta has reported a security incident tied to its SwapNet integration. According to several onchain watchers, malicious actors have pulled out crypto assets worth about $16.8 million after an attack that targeted the platform’s smart contract weakness.
SwapNet Integration Exploit Triggers Security Incident at Matcha Meta
In a Monday notice, Matcha Meta explained that it was a victim of a security breach the previous day. As contained in the disclosure, attackers moved digital assets from an external aggregator linked to Matcha Meta’s interface, SwapNet.
After reviewing with 0x’s protocol team, we have confirmed that the nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts.
Users who have interacted with Matcha Meta via One-Time Approval are thus safe.
Users who have disabled One-Time… https://t.co/VQVmj4LL0F
— Matcha Meta 🎆 (@matchametaxyz) January 25, 2026
The platform disclosed that it spotted the suspicious movements after noticing large, unauthorized transfers from SwapNet’s router contract. In the statement, MM confirmed that it had contacted the SwapNet team to temporarily disable its contracts.
As per reports from blockchain security firm PeckShield, losses from the breach are pegged at roughly $16.8 million. Analysis showed the attacker swapped about $10.5 million in USDC on Base for around 3,655 ETH. Afterwards, the funds were bridged to Ethereum.
Meanwhile, CertiK earlier placed the loss closer to $13.3 million in USDC on Base. CertiK linked the attack to an “arbitrary call” vulnerability in the SwapNet contract, which allowed previously approved funds to be transferred to the contract.
Matcha Meta has not confirmed whether user funds were fully lost. An initial statement said exposure was limited to users who had disabled One-Time Approvals and instead set direct allowances on specific aggregator contracts. The protocol added that accounts using One-Time Approval were not affected.
But following a review with the protocol team at 0x, Matcha Meta clarified that the issue did not involve 0x’s AllowanceHolder or Settler contracts.
The team clarified that users who disable One-Time Approval and rely on direct allowances assume additional risk tied to each aggregator. Matcha Meta added that it has removed the option to set direct allowances on aggregators to prevent similar incidents.
Smart Contract Flaws and Cross-Chain Laundering Fuel Rising Crypto Hacks
With the increasing growth of the crypto market, security breaches continue to pressure projects and platforms in the sector. According to Chainalysis, crypto-related theft exceeded $3.41 billion in 2025, slightly higher than the previous year.
A large share of illicit activity involved rapid asset movement across chains and services designed to obscure transaction trails.
Interestingly, research by Elliptic shows that many laundering operations now rely on coin-swapping services. Such services often operate through standalone websites or Telegram channels, enabling attackers to quickly move stolen funds.
Similar risks surfaced last year when decentralized exchange aggregator CoWSwap reported a breach. During the onchain raid, about $180,000 in DAI was withdrawn via the GPv2Settlement smart contract.
As observed by market watchers, smart contract flaws remain a leading cause of losses. SlowMist reported that contract vulnerabilities accounted for just over 30% of crypto exploits in 2025.
Image Source: SlowMist
Additionally, experts have pointed to advances in AI technology as another factor driving active exploitation. Artificial intelligence helps drive vulnerability discovery and active exploitation.
A single $1.5 billion hack of Bybit represented 44% of all losses in the past year. Meanwhile, North Korea-linked groups stole a record $2.02 billion.
Since the turn of the year, crypto-focused platforms have seen a surge in attacks. DeFi protocol Makina Finance lost about $4.13 million after hackers drained its DUSD/USDC pool on Curve. Shortly after, Layer-1 network Saga paused its SagaEVM chain following an exploit that moved nearly $7 million in assets to Ethereum.
Image by Clint Patterson from Unsplash