- Matcha Meta exploit highlights hidden risks tied to direct aggregator allowances
- Millions drained on Base as SwapNet vulnerability triggers rapid fund movements
- One-Time Approval emerges as key defense amid rising DeFi security incidents
Activity on Base drew sudden attention after Matcha Meta acknowledged a security issue tied to its SwapNet integration. Blockchain security firms soon traced a multi-million-dollar outflow of funds, triggering renewed concern over how aggregator permissions expose users during contract failures.
Soon after, on-chain trackers identified rapid movements of stablecoins through the affected contracts. PeckShield estimated that roughly $16.8m in assets were drained. The firm observed about $10.5m in USDC swapped for nearly 3,655 ETH. Shortly afterward, the attacker began routing the funds toward Ethereum using bridging mechanisms.
However, another assessment from CertiK suggested a lower figure, estimating losses at around $13.3m in USDC on Base. The firm linked the exploit to an arbitrary call vulnerability in the SwapNet contract, which allowed the attacker to transfer previously approved user funds.
Also Read: XRP Liquidity Sweep Warning: Analyst Says the Reversal Will Be Epic
User Exposure Depended on Approval Settings
Importantly, Matcha Meta did not confirm whether all affected funds belonged to users. The project explained that exposure applied only to users who disabled One-Time Approval. Those users had granted direct allowances to individual aggregator contracts. As a result, wallets that relied on one-time approval remained unaffected.
Additionally, the team reviewed the incident with the 0x protocol developers and later stated on X that the exploit did not involve 0x’s AllowanceHolder or Settler contracts. This clarification helped narrow the scope of the issue to the SwapNet integration itself.
Security Design Choices Under Renewed Scrutiny
Beyond the immediate figures, the incident reignited debate around permission models in decentralized finance. Matcha Meta stated that users who enable direct allowances assume risks tied to each aggregator. Consequently, the platform removed the option for users to set such allowances going forward.
Moreover, the team highlighted the defensive value of One-Time Approval models. These settings restrict permissions to a single transaction, reducing exposure during contract exploits. Hence, the incident illustrated how convenience-driven configurations can amplify losses when vulnerabilities emerge.
Meanwhile, the episode unfolded during a difficult period for the crypto industry, as hacking activity continued to pressure market confidence across major platforms and smart contracts. Chainalysis reported that cryptocurrency theft exceeded $3.41bn in 2025, up from $3.38bn previously.
One Bybit-linked hack alone reached $1.5bn, representing 44% of total losses. North Korea-linked actors accounted for the largest share, with stolen assets totaling $2.02bn. As of writing, Matcha Meta has not released further updates.
Also Read: Japan Signals Path to Crypto ETFs as Regulators Weigh Investor Safeguards
