Decentralized exchange aggregator Matcha Meta came to the fore with claims of millions of dollars of asset loss following a security breach in the SwapNet integration. The incident came to light on Sunday when on-chain movements were detected, and different security firms shared separate estimates of the extent of the damage. Initial findings indicated that the attacker moved USDC assets on the Base network to Ethereum. The project team did not provide a clear picture of the scope of user funds.
How Did the Security Breach in SwapNet Integration Reveal?
First report based on on-chain analysis, PeckShield It was shared by and it was stated that an asset worth approximately 16.8 million dollars was evacuated without permission. According to the data, the attacker obtained approximately 3,655 ETH by exchanging $10.5 million USDC on the Base network and then turned to the Ethereum network through bridging transactions. The fact that the transactions took place in a short period of time indicated an automated exploitation scenario.
A different security company CertiKIn its assessment published earlier, Calculated the loss as approximately 13.3 million dollars. According to CertiK, the vulnerability was caused by the “arbitrary call” vulnerability in the SwapNet contract, which allows the attacker to move authorized funds. The difference in figures between the two reports arose from additional transactions detected during the bridging process and differences in methodology.
In its initial statement, Matcha Meta argued that only users who provide direct contract authorization by disabling the One-Time Approval feature are at risk. The project stated that accounts using one-time confirmation were not affected and showed the scope of the attack to be limited within this framework.
User Authorizations and Sectoral Impacts
After the incident, Matcha Meta reviews 0x He announced that he was working with his team and that the problem was not related to 0x’s AllowanceHolder or Settler contracts. In the statement published on the X platform, it was emphasized that directly authorizing individual aggregator contracts carries additional risks for the user. It was stated that in order to prevent this approach from recurring, the direct authorization option was removed from the system.
While there is no new status update from the Matcha Meta front, the increasing wave of attacks throughout the industry feeds concerns. Chainalysis Data reveals that cryptocurrency thefts will exceed $3.41 billion in total in 2025. Just BybitThe $1.5 billion single attack in , accounted for almost half of the annual losses.
According to experts, the Matcha Meta incident once again showed that permission mechanisms that facilitate user experience should be considered together with security architecture. In particular, the proliferation of cross-chain bridging and aggregator contracts expands the attack surface and deepens the debate on the extent to which risks are reflected on the end user.
