Skip to main content
Sign in

Matcha Meta

avoid.net/matcha-meta28/100·82% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·TZbgFE…TcUe

Summary

Matcha Meta is a DEX meta-aggregator built on the 0x protocol by 0x Labs, launched in 2020, that routes trades across 140+ DEXs on 10+ blockchains. On January 25, 2026, a vulnerability in the SwapNet routing module — an integrated third-party liquidity provider — was exploited via an arbitrary external call flaw, draining open token allowances from users who had disabled the platform's default One-Time Approval feature. PeckShield reported initial losses of approximately $16.8M; Matcha Meta's post-mortem confirmed $13.43M in net losses across 20 affected users, with the balance attributable to a separate, concurrent $3.4M Aperture Finance exploit. Users with persistent approvals to SwapNet contracts face ongoing residual exposure until those allowances are revoked.

Connected Entities

1 entities · 5 linked investigations
Organizations
Matcha Meta
Relationships
    Also appears in
    Trenton Johnston·2Kelsier Ventures·4Solana MEV Sandwich Bots·5Uniswap Google Ad Phishing Campaign (May 2026)·0TrustedVolumes·18
    Have evidence about Matcha Meta?

    Timeline(6 events)

    2020-04-01

    Matcha launched by 0x Labs as a DEX aggregator interface, aggregating liquidity across multiple DEXs on Ethereum.

    0x Labs / matcha.xyz official

    2026-01-25

    SwapNet router contract exploit begins at approximately 5:10 PM London time. Attacker exploits arbitrary call vulnerability in function 0x87395540() to drain open token allowances from users who disabled One-Time Approvals. Approximately $10.5M USDC swapped for ~3,655 ETH on Base network.

    PeckShieldAlert on X; Matcha Meta post-mortem

    2026-01-25

    At approximately 9:47 PM London time, Matcha Meta publicly acknowledges the security incident on X, urging users to revoke approvals to SwapNet contracts. PeckShield reports $16.8M in losses.

    PeckShieldAlert on X; DL News

    2026-01-25

    Aperture Finance, a separate multi-chain liquidity protocol, also suffers an exploit using a functionally identical arbitrary-call vulnerability on the same date, accounting for an additional ~$3.4-3.67M in losses tracked within the broader $16.8M PeckShield estimate.

    Cryptopolitan; BlockSec Blog

    2026-01-26

    Matcha Meta publishes official post-mortem confirming $13.43M in net SwapNet-specific losses across 20 users, exonerating 0x core contracts. Protocol permanently removes the direct allowance option from its interface.

    Matcha Meta SwapNet Incident Post Mortem

    2026-02-05

    Aperture Finance separately confirms $3.67M in losses from the January 25 exploit, corroborating the concurrent nature of the two incidents.

    BeInCrypto; BlockSec Blog
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 5/26/2026, 7:42:36 PM

    last updated: 5/26/2026, 7:42:40 PM

    avoid.net — verified advice for a post-truth world