A hacker stole almost $17 million from users of Matcha Meta on January 25, beginning around 5:10pm London time, according to reporting. According to Peckshield, the incident was a security breach, and Matcha Meta confirmed the attack later that evening.
Matcha Meta attributed the exploit to its integrated aggregator, SwapNet, and warned affected users to revoke approvals. The project advised revoking approvals to aggregators outside of 0x One-Time Approval contracts (Ed. note: revoke approvals immediately if you traded through SwapNet).
“The nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts.”
When users trade on chains like Ethereum, they must approve exchanges to spend tokens on their behalf. Some users set unlimited approvals to speed trades, a practice that can let attackers drain wallets if a contract is exploited.
Weilin Li described the flaw as an attacker-controlled call that drained open allowances, calling it the largest approval attack he had seen. Security reporting notes that code exploits remain common; a Slowmist report stated hackers stole over $649 million last year through similar vulnerabilities.
