Catenaa, Thursday, January 29, 2026-Decentralized exchange aggregator Matcha Meta disclosed a security incident tied to its SwapNet integration, after blockchain security firms reported that attackers drained as much as $16.8 million in user assets.
The incident surfaced Sunday when PeckShield flagged suspicious on-chain activity showing an attacker swapping about $10.5 million in USDC on Base for roughly 3,655 ether before bridging funds to Ethereum.
Another security firm, CertiK, earlier estimated losses at about $13.3 million, also involving USDC on Base.
CertiK said the exploit likely stemmed from an arbitrary call vulnerability in the SwapNet contract, which allowed transfers of funds previously approved to the contract.
Matcha Meta said it was still assessing the full scope of the incident and did not confirm whether user funds were permanently lost.
In an initial update, the project said exposure was limited to users who had disabled one-time approvals and instead granted direct allowances to individual aggregator contracts.
Users who relied on one-time approval settings were not affected, according to the team.
After reviewing the issue with the 0x protocol team, Matcha Meta said the incident was not connected to 0x’s AllowanceHolder or Settler contracts.
The project later said it removed the option for users to set direct allowances on aggregators to prevent similar incidents.
The company had not issued a further update as of publication. Industry hacking activity has remained elevated, with crypto thefts totaling more than $3.41 billion in 2025, according to Chainalysis, driven in part by large-scale attacks and state-linked groups.
