Matcha Meta reports $16,8 million loss linked to SwapNet.

• Matcha Meta experiences an issue with SwapNet integration.
• PeckShield estimates a loss of US$16,8 million in cryptocurrencies.
• The flaw involves direct permissions in aggregator contracts.

Matcha Meta, an aggregator of decentralized exchanges, reported a security incident related to its integration with SwapNet. The case came to light over the weekend and quickly caught the attention of blockchain analytics firms.

Estimates released by PeckShield indicate that approximately US$16,8 million in cryptocurrencies were drained. On-chain data suggests that the attacker converted approximately US$10,5 million on the Base network into about 3.655 units of another asset before moving the funds to the Ethereum network.

#PeckShield Matcha Meta has reported a security breach involving SwapNet. Users who opted out of “One-Time Approvals” are at risk.

So far, ~$16.8M worth of crypto has been drained.

On #baseThe attacker swapped approximately 10.5 million. $ USDC for ~3,655 $ ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF

—PeckShield (@PeckShield) January 26, 2026

Another security company, CertiK, had previously estimated A smaller loss, around US$13,3 million in USDC at Base. Initial analysis suggested the exploit was linked to an "arbitrary call" vulnerability in the SwapNet contract, allowing the attacker to use previously granted permissions to divert funds.

Matcha Meta stated that the issue was associated with a specific type of permissions configuration. According to the team, the vulnerability affected users who opted to disable Single Approval and configured limits directly in individual aggregator contracts.

In a public statement, the project stated:

"Users who have disabled Single Approval and set direct permissions in individual contracts with aggregators assume the risks of each aggregator."

In the same update, he added:

"We've removed the ability for users to set permissions directly on aggregators, so this will no longer be possible."

After reviewing the case together with the 0x protocol team, Matcha Meta reported that the vulnerability was not related to the 0x AllowanceHolder or Settler contracts. As an immediate measure, the SwapNet contracts were temporarily disabled and direct permissions involving aggregators were removed from the interface.

To date, the company has not publicly confirmed whether the funds of affected users have been recovered. Investigations are ongoing as the cryptocurrency sector experiences a series of significant incidents involving smart contract failures and protocol integrations.