SwapNet Hacked for $16.8M Exploiting Token Approvals

Edgen Crypto

·Jan 26 2026, 02:37

Share to

Share to

Copy link

Key Takeaways

Matcha Meta's SwapNet platform was exploited for approximately $16.8 million, highlighting critical vulnerabilities in DeFi token permissions. The attack targeted users who had disabled single-use approval settings, allowing the hacker to drain funds. The platform has since disabled the compromised contracts to halt further losses.

$16.8 Million Stolen: A security breach on SwapNet resulted in significant user losses, with the attacker siphoning funds from wallets with weak permission settings.
Approval Vulnerability Exploited: The attacker leveraged unlimited token approvals, a common but high-risk feature in DeFi that gives contracts continuous access to user funds.
Contracts Disabled: In response to the attack, the SwapNet team has taken the affected smart contracts offline to prevent further damage and begin an investigation.

SwapNet Loses $16.8M in Token Approval Exploit

Matcha Meta has confirmed its SwapNet platform suffered a major security breach, resulting in the theft of approximately $16.8 million in crypto assets. The exploit specifically targeted users who had disabled the platform's 'one-time approval' security feature, which granted the attacker persistent permission to drain their wallets.

This vulnerability, rooted in unlimited token approvals, represents a persistent and critical risk within decentralized finance. By granting a smart contract indefinite spending rights, users unknowingly create a permanent backdoor for potential exploits if the contract's security is ever compromised.

Attacker Moves $10.5M in Stolen Funds via Base

The hacker acted quickly to launder the stolen assets. On-chain analysis shows the perpetrator swapped roughly $10.5 million in USDC for 3,655 ETH on the Base network. Immediately after the swap, the attacker began bridging the newly acquired Ether to the Ethereum mainnet in an effort to obscure the trail of funds.

In response to the breach, the SwapNet team disabled the affected smart contracts to prevent further losses. The incident is expected to significantly damage user trust in both SwapNet and its parent entity, Matcha Meta, and may trigger a substantial withdrawal of liquidity from the platform.