Matcha Meta, a decentralized exchange aggregator, has disclosed a security incident tied to its SwapNet integration after blockchain security firms detected a significant outflow of funds over the weekend.
According to on-chain analysis shared by PeckShield, the exploit resulted in an estimated $16.8 million in assets being drained. Data indicates that the attacker swapped roughly $10.5 million in USDC on Base for about 3,655 ETH, then began bridging those funds to Ethereum. Another security firm, CertiK, initially reported a smaller figure of around $13.3 million in USDC and pointed to what it described as an “arbitrary call” vulnerability in the SwapNet contract. This flaw may have allowed the attacker to move funds that users had previously approved.
#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of "One-Time Approvals" are at risk.
— PeckShieldAlert (@PeckShieldAlert) January 26, 2026
So far, ~$16.8M worth of crypto has been drained.
On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF
Matcha Meta acknowledged the incident on Sunday, emphasizing that the exposure was limited in scope. In its first update, the team said only users who had disabled One-Time Approvals and instead granted direct allowances to specific aggregator contracts were potentially affected. Users who relied on One-Time Approval, a feature designed to reduce ongoing permission risks, were not impacted.
Following a review with the 0x protocol team, Matcha Meta clarified that the issue was not connected to 0x’s AllowanceHolder or Settler contracts. In a post on X, the project explained that users who choose to set direct allowances on individual aggregators take on the associated risks. To prevent similar incidents, Matcha Meta said it has removed the option for users to set direct allowances on aggregators going forward.
After reviewing with 0x's protocol team, we have confirmed that the nature of the incident was not associated with 0x's AllowanceHolder or Settler contracts.
— Matcha Meta 🎆 (@matchametaxyz) January 25, 2026
Users who have interacted with Matcha Meta via One-Time Approval are thus safe.
Users who have disabled One-Time… https://t.co/VQVmj4LL0F
The company has not yet confirmed whether any user funds were definitively lost, and no further updates have been issued at the time of writing.
The incident adds to a growing list of high-profile security breaches in the crypto sector. According to Chainalysis, cryptocurrency theft surpassed $3.41 billion in 2025, slightly higher than the previous year. A single $1.5 billion hack of Bybit accounted for nearly half of those losses, while North Korea-linked groups were identified as the most active attackers, responsible for a record $2.02 billion stolen over the year.
As investigations continue, the Matcha Meta case serves as another reminder of the risks tied to smart contract permissions and the importance of cautious security practices in decentralized finance.
