Users told to revoke approvals after Matcha Meta SwapNet breach
Matcha Meta has urged users to revoke approvals to SwapNet’s router after a smart contract exploit drained up to $16.8 million on Coinbase’s Base network.
The company said the issue is tied to SwapNet, a third-party liquidity source integrated into the aggregator, and appears to impact users who disabled 0x One-Time Approvals and instead granted direct token allowances to SwapNet. Matcha Meta SwapNet exploit details and totals are still being verified.
What we know about the Matcha Meta SwapNet exploit
PeckShield reported that on Base the attacker swapped about $10.5M USDC for ~3,655 ETH and began bridging funds to Ethereum. Independent trackers and media posts place losses near $16.8M, though CertiK commentary in some feeds referenced a ~$13.3M figure, underscoring uncertainty as funds move across chains. Matcha Meta says it’s coordinating with SwapNet, which has disabled affected contracts, and is directing users to revoke approvals granted outside 0x’s One-Time Approval system.
Timeline of the Matcha Meta SwapNet exploit
Jan. 25–26, 2026.
Alerts surface on X; PeckShield cites ~$16.8M drained.
Jan. 26, 2026.
Matcha Meta advises revoking approvals to SwapNet router and notes contracts were disabled pending investigation.
Impact and who is affected
Users who opted out of One-Time Approvals on Matcha Meta and manually approved SwapNet’s router are most exposed. Because ERC-20 approvals persist until revoked, attackers can move any token amounts up to the allowance. Revoking approvals cuts off that permission even if your wallet is “disconnected” from a site.
How to reduce risk after the SwapNet incident
Revoke approvals to SwapNet’s router (address flagged in advisories) and any other third-party aggregators you don’t actively use.
Prefer One-Time Approvals when available to limit standing permissions.
Monitor addresses for new approvals and set a cadence (e.g., monthly) to prune old allowances.
Context & Analysis
The case highlights a recurring DeFi risk: standing token approvals combined with router/aggregator contracts can become a single point of failure. Even audited projects face exposure when integrated contracts permit arbitrary calls or lack strict input validation. Standard user hygiene revoking stale approvals, limiting allowances, and preferring one-time permissions remains the most practical mitigation.
Concluding Remarks
Matcha Meta has advised users to focus on personal security measures while its investigation with SwapNet continues. Estimated losses range between approximately $13.3 million and $16.8 million, highlighting the scale of the incident. Since the affected funds have already been bridged out, the chances of recovery remain unclear. Authorities and technical teams are still assessing the situation to determine possible next steps.
In the meantime, users are strongly encouraged to revoke all risky token approvals immediately to limit further exposure. Adopting least-privilege wallet practices, minimizing permissions, and regularly reviewing security settings can help reduce future risks and improve overall asset protection in decentralized platforms.
FAQs
Q: What happened in the Matcha Meta SwapNet exploit?
A : An attacker abused a SwapNet contract integrated with Matcha Meta and drained up to approximately $16.8 million, mostly on the Base network.
Q : Who is affected?
A : Primarily users who disabled 0x One-Time Approvals and granted direct token approvals to SwapNet’s router.
Q : How do I revoke approvals?
A : Use a trusted approval checker such as Revoke.cash or blockchain explorer tools, and submit an on-chain transaction to revoke the approvals.
Q : Is Matcha Meta’s core infrastructure compromised?
A : Current statements indicate that the exposure comes from SwapNet, not from Matcha Meta’s core systems.
Q : How much was stolen?
A : PeckShield estimates around $16.8M, while some other monitoring sources reported about $13.3M. Final numbers may change as investigations continue.
Q : Did the attacker bridge funds to Ethereum?
A: Yes. After swapping approximately $10.5M USDC for ~3,655 ETH on Base, the attacker started bridging the funds to Ethereum.
Q : Does revoking approvals stop future drains?
A : Yes. Revoking approvals removes the contract’s permission to spend your tokens, reducing the risk of future unauthorized transfers.
Facts
Event
SwapNet smart contract exploit affecting Matcha Meta usersDate/Time
2026-01-26T12:00:00+05:00Entities
Matcha Meta (0x ecosystem); SwapNet (DEX aggregator/router); PeckShield; CertiK; Base (L2)Figures
~$16.8M total (PeckShield); ~$13.3M (some CertiK commentary); ~10.5M USDC → ~3,655 ETH swap on Base (amounts)Quotes
“We are aware of an incident with SwapNet… for those who turned off One-Time Approvals.” Matcha Meta on X (paraphrase of post)Sources
CryptoTimes explainer + tweet embeds (https://www.cryptotimes.io/2026/01/26/security-alert-matcha-meta-flags-swapnet-bug-as-over-16-8m-is-drained/), BeInCrypto report (https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/)