Arbitrary-call bug lets attackers drain $17M from SwapNet and Aperture Finance

Published: 2026-01-28 16:13:02 |

A shared arbitrary-call vulnerability allowed attackers to drain more than $17 million from two DeFi protocols. SwapNet, a DEX aggregator used by Matcha Meta, lost about $13.4 million across Ethereum, Arbitrum, Base and BSC after an unvalidated function (0x87395540) executed low-level calls to token addresses; one user alone lost roughly $13.34 million. Attackers abused existing infinite approvals when Matcha Meta users had disabled One-Time Approval. Aperture Finance suffered a separate but similar exploit of function 0x67b34120, enabling malicious calldata to trigger transferFrom calls and approve Uniswap V3 position NFTs, costing about $3.67 million. Both incidents were analyzed by BlockSec, which warned that excessive flexibility without strict call constraints is risky—especially in closed-source contracts. Immediate responses: protocols asked users to revoke approvals (e.g., via Revoke.cash); Matcha Meta disabled the One-Time Approval toggle and removed SwapNet; Aperture disabled affected web features and is working with forensic teams and law enforcement to trace and recover funds. Primary keywords: SwapNet, Aperture Finance, arbitrary-call vulnerability, DeFi exploit, token approvals. Secondary/semantic keywords: Matcha Meta, Uniswap V3, transferFrom, infinite approval, BlockSec, contract input validation.

Bearish

The hacks expose a material smart-contract risk in DeFi infrastructure: arbitrary-call flaws combined with user infinite approvals enable large, rapid asset drains. Short-term market impact is likely bearish for affected protocols and could weigh on liquidity-provider confidence in similar aggregators and liquidity-management services. Traders may see increased sell pressure on associated tokens and reduced TVL in affected protocols while users revoke approvals and withdraw funds. Historically, high-profile hacks (e.g., code-execution or approval-based drains) lead to short-term price declines in related tokens and elevated volatility across the DeFi sector. In the medium term the market impact depends on recovery efforts, successful fund tracing/recovery, and security fixes. If teams swiftly patch contracts, recover funds, and improve approval UX (one-time approvals, safer defaults), confidence can partially restore and the effect will be transient. However, repeated incidents or poor responses can produce longer-term outflows, higher risk premia for DeFi projects, and tougher capital conditions for aggregators and permissionless services.