Matcha Meta Removes Direct Allowances After $16.8M SwapNet Exploit
Matcha Meta disclosed a SwapNet-related exploit that allowed attackers to withdraw roughly $16.8 million by abusing an “arbitrary call” vulnerability in the SwapNet router contract. Security firms PeckShield and CertiK reported the attacker swapped an estimated $10.5M–$13.3M USDC on Base into about 3,655 ETH and bridged proceeds to Ethereum. Matcha Meta said the exposure affected users who disabled One-Time Approval and set direct allowances on aggregator contracts; accounts using One-Time Approval were not impacted. After consulting 0x protocol developers, Matcha Meta confirmed the issue did not involve 0x’s AllowanceHolder or Settler contracts and removed the option to set direct allowances to reduce future risk. The incident underscores persistent smart-contract risks in aggregator integrations and cross-chain bridges. Traders should review and revoke persistent allowances, avoid direct aggregator approvals, monitor bridging flows, and exercise caution with new aggregator features. The exploit adds to a wider pattern of recent DeFi losses — including Bybit, Makina Finance and SagaEVM breaches — and contributes to elevated security concerns that can affect liquidity and risk premiums in DeFi markets.
Bearish
The exploit is likely bearish for the tokens and services directly involved because it increases perceived risk around aggregator integrations and cross-chain operations. Short-term effects: heightened selling pressure or reduced demand for aggregator-related tokens and assets on affected chains (notably ETH liquidity moved via Base), increased gas on bridging, and short-term risk-off behavior from traders who revoke allowances and reduce exposure to aggregators. Market makers may widen spreads and liquidity providers could pull funds from risky pools, increasing slippage and costs. Long-term effects: protocol-level fixes (removing direct allowances) and improved auditing could restore confidence, but repeated incidents erode trust and sustain a higher security risk premium. For ETH specifically, while the hack involved swapping USDC to ETH and bridging it, ETH’s broad market liquidity and diverse use cases limit a prolonged price decline solely from this event; still, short-term volatility and localized sell pressure are expected. Overall, the news dampens sentiment for aggregator integrations and cross-chain bridge activity, making market conditions more cautious until auditors and developers demonstrate durable fixes.