On-chain decentralized exchange (DEX) aggregator, SwapNet, has suffered a major smart contract exploit that drained nearly $16.8 million in crypto assets.

The incident highlights persistent security risks tied to token approvals and third-party routing contracts in decentralized finance (DeFi).

PeckShield reported that the attacker targeted SwapNet-linked activity accessible through Matcha Meta, a meta DEX aggregator built by the 0x team.

On the Base network, the attacker swapped approximately $10.5 million in USDC for around 3,655 ETH before bridging the funds to Ethereum, a common tactic used to complicate tracking and recovery efforts.

#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of "One-Time Approvals" are at risk.

So far, ~$16.8M worth of crypto has been drained.

On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF

Matcha Meta articulated that the exposure did not stem from its core infrastructure. Instead, the affected users were those who had opted out of 0x’s One-Time Approval system, a security feature designed to limit ongoing token permissions.

Users who disabled this option granted direct approvals to underlying aggregator contracts, including SwapNet’s router, which ultimately became the attack vector.

“We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time Approvals,” Matcha Meta said in a statement.

The platform confirmed it is coordinating with the SwapNet team, which has temporarily disabled the affected contracts while investigations continue.

As a precaution, Matcha Meta urged users to immediately revoke approvals to individual aggregators outside of 0x’s One-Time Approval framework.

The platform highlighted SwapNet’s router contract (0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e) as the most urgent approval to revoke. Failure to do so could leave wallets exposed even after the exploit has been contained.

As a precaution, we recommend revoking all approvals to individual aggregators outside of 0x's One-Time Approval contracts.

Most timely is SwapNet's router contract at 0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e https://t.co/NpwRWtVwzb

The incident reflects a longstanding trade-off in DeFi between convenience and security. One-Time Approvals require users to approve each transaction individually, reducing persistent attack surfaces. However, it also adds friction for frequent traders.

Unlimited approvals, while faster, grant smart contracts enduring access to user funds. However, this arrangement becomes dangerous when those contracts are compromised.

SwapNet has not yet released a full technical post-mortem or indicated whether affected users will be compensated. This leaves open questions around accountability and recovery.

The lack of immediate clarity is likely to intensify scrutiny around approval practices and aggregator integrations across the DeFi ecosystem.

The exploit comes amid a broader pattern of smart contract attacks and security incidents in the crypto market.

On the same day, security auditor Pashov flagged a separate Ethereum mainnet exploit involving roughly 37 WBTC, worth over $3.1 million.

This was linked to a closed-source, unverified contract deployed just 41 days earlier. The contract published only non-human-readable bytecode, preventing public review.

🚨New smart contract exploit on Ethereum mainnet, from 3 hours ago – this one is for ~37 WBTC, worth over $3.1M

Contract was 41 days old with unverified code (closed source) – only non-human readable code published. pic.twitter.com/5J8LZxEkJw

Together, the incidents highlight abundant fertile grounds for attackers in DeFi. These are:

Despite years of audits and security improvements, DeFi continues to grapple with structural vulnerabilities. This places the burden on developers and users to balance usability with risk management.

The post An On-Chain DEX Aggregator Just Lost $17 Million in Major Smart Contract Attack appeared first on BeInCrypto.

Bitcoin price in Telegram @btc_price_every_hour

424 +