Key Highlights
- The SwapNet exploit drained $16.8M in crypto, including $10.5M USDC swapped for 3,655 ETH on Base.
- Vulnerability stemmed from an arbitrary call in the SwapNet contract, affecting users who disabled One-Time Approvals.
- Matcha and SwapNet disabled affected contracts; users are advised to revoke manual token approvals immediately.
Matcha Meta, the trading platform built by 0x, has issued a security alert after noticing a potential issue linked to SwapNet, one of the aggregators on its platform. The update was shared earlier today on X, where the team said some users may have been exposed to risk depending on how they had set up token approvals while using Matcha Meta.
According to Matcha Meta, the issue affects users who had disabled One-Time Approvals and instead allowed direct token approvals to individual aggregator contracts.
In its first statement, the team said: “We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time Approvals.”
Following the discovery, Matcha confirmed it is working closely with the SwapNet team, which has already taken action by disabling its contracts temporarily.
“We are in contact with the SwapNet team and they have temporarily disabled their contracts. The team is actively investigating and will provide rolling updates as more information becomes clear.”
SwapNet router address flagged
As part of the advisory, Matcha Meta urged users to revoke approvals associated with SwapNet’s router contract, identifying the following address as the default deployment across supported EVM chains: 0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e.
Users were advised to revoke permissions granted to this contract, especially if approvals were set manually instead of using Matcha’s One-Time Approval system.
Vulnerability linked to an arbitrary call
Further investigation suggests the issue may be linked to an arbitrary call vulnerability in the SwapNet contract. This appears to have allowed the attacker to move funds that users had already approved, without needing any additional permission.
On-chain data shows the attacker using this method to transfer user funds. One of the transactions linked to the activity can be viewed here: 0xaf77dda2c805c299703dbf83c5aa96f99425b35c9241dab5bdefb8d9d19273d3
Matcha has since confirmed that the affected contracts have been disabled while the investigation remains ongoing.
PeckShield flags fund drain
Blockchain security firm PeckShield later confirmed that the incident had resulted in an on-chain fund drain. In a post shared on X, the firm said users who had opted out of Matcha’s One-Time Approval system were affected.
According to PeckShield, around $16.8 million worth of crypto has been drained so far. On Base, the attacker reportedly swapped nearly $10.5 million in USDC for around 3,655 ETH, before beginning to bridge the funds over to Ethereum.
The firm also urged users to immediately revoke approvals granted to individual aggregators outside of 0x’s One-Time Approval contracts, warning that such permissions remain a major attack vector.
BlockSec confirms wider impact
BlockSec’s Phalcon platform also flagged the activity, noting that multiple victim contracts were targeted across chains.
According to BlockSec, attackers exploited contracts deployed across Ethereum, Arbitrum, Base, and BNB Chain, with total losses exceeding $17 million.
The firm said the affected contracts were not open-source and appeared to expose an arbitrary-call function, allowing attackers to abuse existing token approvals and execute transferFrom calls to drain assets.
Two major impacted deployers were identified:
- 0xbeef63AE5a2102506e8a352a5bB32aA8B30B3112 — approximately $3.67 million
- 0x9cb8d9BaE84830b7f5F11ee5048c04a80b8514BA — approximately $13.41 million
0x confirms core protocol not affected
Matcha Meta issued a follow-up clarification after reviewing the incident with the 0x protocol team.
“After reviewing with 0x’s protocol team, we have confirmed that the nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts.”
The update confirmed that users who relied on One-Time Approvals were not impacted. “Users who have interacted with Matcha Meta via One-Time Approval are thus safe.”
However, the platform reiterated that users who chose to grant direct token approvals to third-party aggregators do so at their own risk.
“Users who have disabled One-Time Approval and have set direct allowances on individual aggregator contracts assume the risks of each aggregator.”
To prevent similar issues going forward, Matcha Meta confirmed that it has now removed the option for users to directly approve aggregator contracts.
“We have removed the ability for users to set allowances on aggregators directly such that this cannot happen moving forward.”
What users should do
Users are advised to:
- Revoke approvals linked to SwapNet and other third-party aggregators.
- Use One-Time Approvals when trading on Matcha.
- Stay alert for further updates as the investigation continues.
At the time of writing, there is no indication that 0x’s core infrastructure was compromised. The incident appears limited to how permissions were handled at the aggregator level.
Also Read: Makina Finance: 83% of Lost ETH Recovered, v1.1 Upgrade Live Monday
