A security incident tied to the matcha meta hack has resulted in almost $17 million worth of cryptocurrency being taken from users of Matcha Meta, a DeFi exchange meta aggregator created by 0x. The attack started at around 5:10pm London time on January 25, according to reports that described the event as a breach. Matcha Meta later acknowledged the issue publicly and pointed to a third-party integration as the source of the problem.
Several security firms flagged the incident as it unfolded, including Peckshield, which described it as a security breach. Matcha Meta confirmed the situation later in the day. In a post on X at 9:47pm, the project said the incident stemmed from SwapNet, an exchange aggregator that had been integrated with the protocol.
In its update, Matcha Meta said the issue was not connected to 0x’s core components used for approvals and settlement. The project stated that “the nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts.” Instead, it focused attention on how some users’ trades had been routed and what settings those users had enabled at the time.
Matcha Meta operates as what the industry calls a “meta aggregator.” It is designed as a single interface for traders that checks across decentralised exchange aggregators to identify the most cost-efficient route for a trade, while charging a small fee. Because it can route trades through different aggregators, it relies on integrations that may carry their own technical and security assumptions. In this case, Matcha Meta’s own description of the event tied the losses to SwapNet, rather than to the project’s underlying contracts.
Matcha Meta warned that certain users faced greater exposure depending on how their trades were processed and which approval settings they used. The project said users whose trades were routed through SwapNet and who had turned off One-Time Approvals were at risk.
As a precaution, Matcha Meta advised users to revoke approvals granted to individual aggregators outside of 0x’s One-Time Approval contracts. The guidance focused specifically on permissions that could still be active, rather than on a single completed trade, reflecting how token spending permissions can persist on networks such as Ethereum.
In DeFi trading, users typically sign an initial transaction that authorizes a contract to spend the token being sold. Some exchanges and aggregators provide an option to restrict this permission to a one-time approval that covers only the amount required for a specific transaction. Others allow users to set unlimited approvals manually, which can remain in effect even after the swap is completed.
Those persistent approvals can reduce friction for active traders by speeding up future trades and saving transaction fees, but they also expand the damage an attacker can do if the approved contract is compromised. If a contract that holds an unlimited approval is exploited, an attacker can potentially pull tokens from wallets that previously granted that permission. Matcha Meta’s warning indicates that this type of exposure was central to the losses seen in the incident tied to SwapNet.
The incident comes amid ongoing concern from developers and security researchers about DeFi exploits, especially those involving older smart contracts. A report from blockchain security firm Slowmist said that hackers stole over $649 million last year via code exploits, underlining how vulnerabilities and permissioning design choices can translate into large losses.
In commentary posted on X, Weilin Li, a DeFi security researcher and PhD student at University College London, described what appeared to have happened at SwapNet. Li wrote that “the root cause appears to be an arbitrary call controlled by the attacker that drains the open allowance to this contract,” and characterized it as the biggest approval attack they had seen excluding phishing.
Even with those observations, key details remain unresolved. It was not clear how the attacker gained access to SwapNet’s smart contracts. SwapNet also did not immediately respond to a request for comment, leaving unanswered questions about the precise mechanism of compromise and what changes might be required to prevent similar issues in future integrations.
The matcha meta hack centered on SwapNet, according to Matcha Meta’s own account, and resulted in almost $17 million in crypto being taken from users. The project said the incident was not tied to 0x’s AllowanceHolder or Settler contracts, and urged users to revoke approvals to individual aggregators outside of 0x’s One-Time Approval contracts. The episode has renewed attention on the risks of unlimited approvals in DeFi and the scale of losses that can follow when those permissions are abused.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Read more on CRYPTONEWSBYTES.COM
