Decentralized exchange (DEX) aggregator Matcha Meta suffered a security breach on Sunday through one of its primary liquidity providers, SwapNet, in the latest cyberattack tied to exploiting smart-contract vulnerabilities.
Matcha Meta disclosed the breach in a post on X on Sunday, warning that users who had disabled one-time token approvals may be at risk. The protocol urged users to immediately revoke all approvals granted to SwapNet’s router contract to prevent further losses.
Estimates of the stolen funds vary. Blockchain security company CertiK said about $13.3 million was taken, while PeckShield said at least $16.8 million was stolen on the Base network.
“So far, ~$16.8M worth of crypto has been drained. On Base, the attacker swapped ~10.5M USDC for ~3,655 ETH and has begun bridging funds to Ethereum,” wrote PeckShield in a Monday X post, urging users to revoke all approvals related to the protocol.
CertiK said the exploit stemmed from an “arbitrary call in @0xswapnet contract that let attacker to transfer funds approved to it.”
Matcha Meta said the exposure was linked to SwapNet rather than its own infrastructure. Cointelegraph has contacted Matcha Meta for comment on the cause of the vulnerability and any plans to compensate affected users or strengthen safeguards, but had not received a response by publication.
The incident comes two weeks after another smart-contract exploit resulted in $26 million in losses from the offline computation protocol Truebit and a 99% crash for the Truebit (TRU) token, Cointelegraph reported on Jan. 8.
Related: Bitcoin investor loses retirement fund in AI-fueled romance scam
Smart contracts the biggest target for crypto hackers
Smart-contract flaws have emerged as the leading cause of crypto losses. Smart-contract vulnerabilities accounted for 30.5% of all the crypto exploits in 2025, with 56 cybersecurity incidents, according to SlowMist’s year-end report.
Account compromises and hacked X accounts accounted for 24% in second place.
Related: Fake MetaMask 2FA security checks lure users into sharing recovery phrases
Security researchers say advances in artificial intelligence are also reshaping how vulnerabilities are identified.
In December, commercially available generative AI agents uncovered $4.6 million worth of smart-contract exploits in existing protocols, through Anthropic’s Claude Opus 4.5, Claude Sonnet 4.5 and OpenAI’s GPT-5.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
