On Sunday, decentralized exchange aggregator Matcha Meta reported a security breach that routed through the liquidity provider SwapNet, urging users to revoke approvals immediately in a post. The protocol warned that users who had disabled one-time token approvals could be at risk and asked them to revoke permissions to SwapNet’s router contract.
Estimates of stolen funds vary between security firms, with CertiK citing about $13.3 million and PeckShield reporting at least $16.8 million on the Base network, according to their posts (CertiK, PeckShield). “So far, ~$16.8M worth of crypto has been drained,” PeckShield wrote, noting the attacker swapped roughly $10.5 million in USDC for about 3,655 ETH and began bridging funds to Ethereum.
CertiK said the exploit resulted from an “arbitrary call in @0xswapnet contract that let attacker to transfer funds approved to it.” Matcha Meta stated the issue was linked to SwapNet rather than its own infrastructure. (Ed. note: revoke all approvals granted to SwapNet’s router contract immediately.)
Smart-contract vulnerabilities were the leading cause of crypto exploits in 2025, accounting for 30.5% of incidents and 56 cybersecurity events, per SlowMist. Two weeks earlier, an exploit of Truebit cost about $26 million and collapsed its TRU token by 99%.
