Verify a decision

{"actor":"system:backfill","investigation_id":"1082f320-0183-48c9-8dd6-41b0f58dc19a","kind":"publish","page_slug":"matcha-meta","published_at":"2026-05-26T19:42:40.128Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Matcha Meta","sections":[{"content":"On January 25, 2026, at approximately 5:10 PM London time, SwapNet smart contracts integrated into the Matcha Meta platform were exploited. By 9:47 PM, Matcha Meta publicly acknowledged the breach on X (formerly Twitter), urging affected users to revoke token approvals immediately. Blockchain security firm PeckShield estimated initial losses at approximately $16.8M. Matcha Meta's official post-mortem, published the following day, confirmed net losses of $13.43M affecting 20 users. The discrepancy arose because PeckShield's estimate included $3.4M from a separate, concurrent Aperture Finance exploit that used the same vulnerability class but was unrelated to Matcha Meta's infrastructure. One user alone accounted for approximately $13.34M of the confirmed losses.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":2,"name":"PeckShieldAlert on X — initial $16.8M loss report","type":"social_media","url":"https://x.com/PeckShieldAlert/status/2015608261119217671"},{"credibility":1,"name":"SwapNet Incident Post Mortem — Matcha Meta official","type":"official","url":"https://meta.matcha.xyz/SwapNet-Incident-Post-Mortem"},{"credibility":2,"name":"Matcha Meta users hit in $13.4 million SwapNet contract exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/386986/matcha-meta-swapnet-incident"},{"credibility":2,"name":"Hacker swipes $13.5m from Matcha Meta users — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/matcha-meta-users-lose-millions-after-security-breach-at-integrated-protocol/"}]},{"content":"The exploit targeted function selector 0x87395540() in the SwapNet router contract (0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e), which lacked sufficient validation of user-supplied inputs. An attacker substituted a token contract address (such as USDC) in place of the expected router or pool address. The contract treated the token address as a valid execution target and issued low-level calls using attacker-controlled calldata, causing the victim contract to execute USDC.transferFrom(victim, attacker, amount) against all users who had granted persistent allowances to that contract. The attack was confirmed to operate on at least four chains: Ethereum, Arbitrum, Base, and Binance Smart Chain. A representative on-chain transaction on Base is 0xc15df1d131e98d24aa0f107a67e33e66cf2ea27903338cc437a3665b6404dd57. BlockSec noted that the SwapNet contract was closed-source, limiting prior third-party auditing. The 0x protocol's own AllowanceHolder and Settler contracts were confirmed unaffected.","heading":"Technical Root Cause: Arbitrary Call Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"$17M Closed-Source Smart Contract Exploit: Arbitrary-Call Vulnerability in SwapNet and Aperture Finance — BlockSec Blog","type":"research","url":"https://blocksec.com/blog/17m-closed-source-smart-contract-exploit-arbitrary-call-swapnet-aperture"},{"credibility":2,"name":"Arbitrary-call vulnerability blamed for $17M SwapNet and Aperture Finance hacks — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/arbitrary-call-blamed-swapnet-aperture-hack/"},{"credibility":2,"name":"How Opting Out of 0x One-Time Approvals Cost Users $16.8 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/"}]},{"content":"Only users who had manually disabled Matcha Meta's default One-Time Approval feature were exposed. That feature, when enabled, limits token allowances to the precise amount required for each individual trade, preventing residual open approvals. Users who opted out instead granted persistent, unlimited token allowances directly to individual aggregator contracts — including the SwapNet router. The post-mortem confirmed 20 affected users, though CertiK initially estimated approximately 18. One wallet accounted for the vast majority of losses at approximately $13.34M. Users who retained the One-Time Approval default were not at risk. Following the incident, Matcha Meta permanently removed the option for users to disable One-Time Approvals and set direct persistent allowances, preventing similar exposure in future. Users with prior persistent approvals to SwapNet contracts who have not yet revoked them continue to face residual exposure.","heading":"Affected Users and Exposure Scope","severity":"high","sources":[{"credibility":2,"name":"How Opting Out of 0x One-Time Approvals Cost Users $16.8 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/"},{"credibility":2,"name":"Matcha Meta Breach Drains $16.8M via SwapNet Exploit — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/matcha-meta-breach-drains-16-113348450.html"},{"credibility":1,"name":"SwapNet Incident Post Mortem — Matcha Meta official","type":"official","url":"https://meta.matcha.xyz/SwapNet-Incident-Post-Mortem"}]},{"content":"On-chain tracing confirmed the attacker swapped approximately $10.5M USDC for approximately 3,655 ETH on the Base network and subsequently began bridging those funds to Ethereum mainnet. A secondary component of the broader $16.8M figure tracked by PeckShield involved approximately 37 WBTC (approximately $3.1M) drained on Ethereum mainnet, though Matcha Meta's post-mortem attributed that portion to the separate Aperture Finance exploit. No recovery, on-chain negotiation, or fund freeze has been publicly confirmed as of the investigation date. The attacker's primary wallet addresses were identified by CertiK during incident response but were not publicly disclosed in available post-mortem materials.","heading":"Fund Movement and On-Chain Activity","severity":"high","sources":[{"credibility":2,"name":"PeckShieldAlert on X — attacker swapped $10.5M USDC for ~3,655 ETH on Base","type":"social_media","url":"https://x.com/PeckShieldAlert/status/2015608261119217671"},{"credibility":3,"name":"SwapNet router exploit drains $16.8M on Matcha Meta — BingX","type":"news_article","url":"https://bingx.com/en/news/post/swapnet-router-exploit-drains-m-on-matcha-meta-as-attacker-swaps-m-usdc-on-base"},{"credibility":2,"name":"How Opting Out of 0x One-Time Approvals Cost Users $16.8 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/"}]},{"content":"Matcha Meta disclosed the incident on X within hours of the first on-chain exploitation and coordinated with the SwapNet team to temporarily disable affected contracts. The protocol subsequently removed the direct allowance option entirely from its interface, meaning users can no longer disable One-Time Approvals. A post-mortem was published the following day confirming the SwapNet contract as the sole attack surface and exonerating 0x's core AllowanceHolder and Settler contracts. No compensation fund or reimbursement program for affected users has been publicly announced as of the investigation date. Users are advised to revoke any remaining approvals to the SwapNet router contract address 0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e on all affected chains (Ethereum, Arbitrum, Base, BSC).","heading":"Protocol Response and Remediation","severity":"medium","sources":[{"credibility":1,"name":"SwapNet Incident Post Mortem — Matcha Meta official","type":"official","url":"https://meta.matcha.xyz/SwapNet-Incident-Post-Mortem"},{"credibility":3,"name":"Matcha Meta Removes Direct Allowances After $16.8M SwapNet Exploit — Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/matcha-meta-removes-direct-allowances-after-16-8m-swapnet-exploit-as-crypto-hacks-rise/"},{"credibility":3,"name":"Matcha Meta Hit by $16.8M SwapNet Smart Contract Hack — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/matcha-meta-hit-by-16-8m-swapnet-smart-contract-hack"}]},{"content":"The incident highlights systemic risk inherent in DEX aggregators that integrate closed-source third-party routing modules. The SwapNet contract was closed-source at the time of the exploit, which limited independent security review. BlockSec's analysis noted this as a significant contributing factor. The 0x protocol itself was not compromised, and Matcha Meta's core infrastructure remained secure; the attack vector was entirely confined to one integrated liquidity provider. The simultaneous exploitation of Aperture Finance using a functionally identical arbitrary-call pattern suggests the vulnerability may have been known to the attacker prior to disclosure, or that both protocols shared common code or design patterns.","heading":"Third-Party Integration Risk","severity":"high","sources":[{"credibility":2,"name":"$17M Closed-Source Smart Contract Exploit — BlockSec Blog","type":"research","url":"https://blocksec.com/blog/17m-closed-source-smart-contract-exploit-arbitrary-call-swapnet-aperture"},{"credibility":2,"name":"Matcha Meta breach tied to SwapNet exploit drains up to $16.8M — TradingView / CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:09282c175094b:0-matcha-meta-breach-tied-to-swapnet-exploit-drains-up-to-16-8m/"}]},{"content":"Matcha was launched in April 2020 by 0x Labs, the company behind the 0x protocol, as a consumer-facing DEX aggregation interface. At the time of the incident, Matcha aggregated liquidity from over 140 DEXs across more than 10 blockchains, covering over 7 million tokens. The platform pioneered smart order routing and One-Time Approvals as a security-by-default mechanism. 0x Labs was founded in 2017 with a focus on open-standard DEX infrastructure. Matcha operates as a front-end product built on the 0x Aggregator service. No prior major exploits of Matcha's own contracts have been reported.","heading":"Background: Matcha Meta and 0x Protocol","severity":"low","sources":[{"credibility":1,"name":"About Matcha DEX Aggregator — matcha.xyz","type":"official","url":"https://matcha.xyz/about-matcha-dex-aggregator"},{"credibility":1,"name":"Matcha Case Study — 0x.org","type":"official","url":"https://0x.org/case-studies/matcha-v2"}]}],"sources_used":[{"credibility":1,"name":"SwapNet Incident Post Mortem — Matcha Meta official","type":"official","url":"https://meta.matcha.xyz/SwapNet-Incident-Post-Mortem"},{"credibility":2,"name":"Hacker swipes $13.5m from Matcha Meta users — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/matcha-meta-users-lose-millions-after-security-breach-at-integrated-protocol/"},{"credibility":2,"name":"How Opting Out of 0x One-Time Approvals Cost Users $16.8 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/"},{"credibility":2,"name":"Matcha Meta Breach Drains $16.8M via SwapNet Exploit — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/matcha-meta-breach-drains-16-113348450.html"},{"credibility":2,"name":"Matcha Meta users hit in $13.4 million SwapNet contract exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/386986/matcha-meta-swapnet-incident"},{"credibility":2,"name":"$17M Closed-Source Smart Contract Exploit: Arbitrary-Call Vulnerability in SwapNet and Aperture Finance — BlockSec Blog","type":"research","url":"https://blocksec.com/blog/17m-closed-source-smart-contract-exploit-arbitrary-call-swapnet-aperture"},{"credibility":2,"name":"PeckShieldAlert on X — initial breach report","type":"social_media","url":"https://x.com/PeckShieldAlert/status/2015608261119217671"},{"credibility":2,"name":"Matcha Meta breach tied to SwapNet exploit drains up to $16.8M — TradingView / CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:09282c175094b:0-matcha-meta-breach-tied-to-swapnet-exploit-drains-up-to-16-8m/"},{"credibility":3,"name":"Matcha Meta Removes Direct Allowances After $16.8M SwapNet Exploit — Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/matcha-meta-removes-direct-allowances-after-16-8m-swapnet-exploit-as-crypto-hacks-rise/"},{"credibility":3,"name":"Matcha Meta Hit by $16.8M SwapNet Smart Contract Hack — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/matcha-meta-hit-by-16-8m-swapnet-smart-contract-hack"},{"credibility":1,"name":"About Matcha DEX Aggregator — matcha.xyz","type":"official","url":"https://matcha.xyz/about-matcha-dex-aggregator"},{"credibility":1,"name":"Matcha Case Study — 0x.org","type":"official","url":"https://0x.org/case-studies/matcha-v2"},{"credibility":3,"name":"SwapNet loses $13.4 million after input validation flaw — MEXC News","type":"news_article","url":"https://www.mexc.com/news/580288"},{"credibility":2,"name":"Matcha Meta reports a security breach, $16.8M drained — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/matcha-meta-security-breach-16-8m-drained/"}],"summary":"Matcha Meta is a DEX meta-aggregator built on the 0x protocol by 0x Labs, launched in 2020, that routes trades across 140+ DEXs on 10+ blockchains. On January 25, 2026, a vulnerability in the SwapNet routing module — an integrated third-party liquidity provider — was exploited via an arbitrary external call flaw, draining open token allowances from users who had disabled the platform's default One-Time Approval feature. PeckShield reported initial losses of approximately $16.8M; Matcha Meta's post-mortem confirmed $13.43M in net losses across 20 affected users, with the balance attributable to a separate, concurrent $3.4M Aperture Finance exploit. Users with persistent approvals to SwapNet contracts face ongoing residual exposure until those allowances are revoked.","timeline":[{"date":"2020-04-01","event":"Matcha launched by 0x Labs as a DEX aggregator interface, aggregating liquidity across multiple DEXs on Ethereum.","source":"0x Labs / matcha.xyz official","source_url":"https://matcha.xyz/about-matcha-dex-aggregator"},{"date":"2026-01-25","event":"SwapNet router contract exploit begins at approximately 5:10 PM London time. Attacker exploits arbitrary call vulnerability in function 0x87395540() to drain open token allowances from users who disabled One-Time Approvals. Approximately $10.5M USDC swapped for ~3,655 ETH on Base network.","source":"PeckShieldAlert on X; Matcha Meta post-mortem","source_url":"https://x.com/PeckShieldAlert/status/2015608261119217671"},{"date":"2026-01-25","event":"At approximately 9:47 PM London time, Matcha Meta publicly acknowledges the security incident on X, urging users to revoke approvals to SwapNet contracts. PeckShield reports $16.8M in losses.","source":"PeckShieldAlert on X; DL News","source_url":"https://www.dlnews.com/articles/defi/matcha-meta-users-lose-millions-after-security-breach-at-integrated-protocol/"},{"date":"2026-01-25","event":"Aperture Finance, a separate multi-chain liquidity protocol, also suffers an exploit using a functionally identical arbitrary-call vulnerability on the same date, accounting for an additional ~$3.4-3.67M in losses tracked within the broader $16.8M PeckShield estimate.","source":"Cryptopolitan; BlockSec Blog","source_url":"https://blocksec.com/blog/17m-closed-source-smart-contract-exploit-arbitrary-call-swapnet-aperture"},{"date":"2026-01-26","event":"Matcha Meta publishes official post-mortem confirming $13.43M in net SwapNet-specific losses across 20 users, exonerating 0x core contracts. Protocol permanently removes the direct allowance option from its interface.","source":"Matcha Meta SwapNet Incident Post Mortem","source_url":"https://meta.matcha.xyz/SwapNet-Incident-Post-Mortem"},{"date":"2026-02-05","event":"Aperture Finance separately confirms $3.67M in losses from the January 25 exploit, corroborating the concurrent nature of the two incidents.","source":"BeInCrypto; BlockSec Blog","source_url":"https://beincrypto.com/matcha-meta-swapnet-defi-exploit-loss/"}]},"v":1}