SwapNet Vulnerability Leads to $16.8M Drain in Matcha Meta Security Incident
Following a smart contract security flaw, Matcha Meta has issued urgent warnings for users to withdraw approvals from SwapNet's router contract as the Base blockchain incident resulted in losses reaching $16.8 million.
On Sunday, Matcha Meta, a decentralized exchange aggregator, experienced a security compromise through SwapNet, one of its key liquidity providers, marking yet another cyberattack exploiting weaknesses in smart contract infrastructure.
The breach was made public by Matcha Meta through an X platform announcement on Sunday, cautioning that users who had turned off one-time token approvals could face potential risks. The platform issued an immediate call to action for users to revoke any and all approvals they had previously granted to SwapNet's router contract in order to mitigate additional financial losses.
The amount of cryptocurrency stolen remains disputed among different sources. Blockchain security firm CertiK reported approximately $13.3 million was compromised, whereas PeckShield placed the estimate at a minimum of $16.8 million in assets drained from the Base network.
"So far, ~$16.8M worth of crypto has been drained. On Base, the attacker swapped ~10.5M USDC for ~3,655 ETH and has begun bridging funds to Ethereum," wrote PeckShield in a Monday X post, urging users to revoke all approvals related to the protocol.
According to CertiK's analysis, the vulnerability originated from an "arbitrary call in @0xswapnet contract that let attacker to transfer funds approved to it."
The protocol clarified that the security risk was associated with SwapNet's infrastructure rather than Matcha Meta's own systems. Cointelegraph reached out to Matcha Meta seeking additional details regarding the root cause of the vulnerability and whether there are plans to reimburse impacted users or implement enhanced security measures, but no reply had been received at the time of publication.
This security breach follows just two weeks after a separate smart contract exploitation that led to $26 million being drained from Truebit, an offline computation protocol, which also triggered a catastrophic 99% price collapse for the Truebit (TRU) token, as Cointelegraph documented on Jan. 8.
Smart contracts the largest target for crypto hackers
Vulnerabilities in smart contracts have become the predominant source of cryptocurrency-related losses. According to SlowMist's year-end report, smart contract weaknesses were responsible for 30.5% of all cryptocurrency exploits throughout 2025, spanning 56 separate cybersecurity incidents.
In the second position, compromised accounts and hijacked X accounts were responsible for 24% of incidents.
Experts in cybersecurity indicate that developments in artificial intelligence technology are fundamentally transforming the methods by which security vulnerabilities are discovered and identified.
Last December, readily accessible generative AI agents successfully identified $4.6 million in potential smart contract exploits within deployed protocols, utilizing advanced models including Anthropic's Claude Opus 4.5, Claude Sonnet 4.5 and OpenAI's GPT-5.