Decentralized exchange (DEX) aggregator Matcha Meta reported a security breach after vulnerabilities in one of its primary liquidity provider’s, SwapNet, router contract led to potential losses totaling between $13.3 million and $16.8 million on the Base blockchain.

Incident Details

Matcha Meta made the announcement via a post on X (formerly known as Twitter), urging users who had previously permitted token approvals for SwapNet’s router contract to urgently revoke these permissions to mitigate further potential losses.

According to blockchain security firm CertiK, around $13.3 million was stolen, while another security entity, PeckShield, reported the theft could be as high as $16.8 million on the Base network.

“So far, ~$16.8M worth of crypto has been drained. On Base, the attacker swapped ~10.5M USDC for ~3,655 ETH and has begun bridging funds to Ethereum,” commented PeckShield in a subsequent post, reiterating the need for users to revoke all contract approvals.

CertiK later clarified that the exploitation originated from an arbitrary call in the @0xswapnet contract, enabling the attacker to transfer funds that had been approved for disbursement.

Matcha Meta emphasized that the security issue was linked to SwapNet’s operations, not Matcha’s own infrastructure. In response to inquiries about accountability or plans for user compensation, Matcha had not provided a statement by the time of this publication.

Broader Context

This breach comes on the heels of another exploit two weeks earlier, which caused losses amounting to $26 million tied to the Truebit protocol. Emerging as a significant target for hackers, smart contracts accounted for about 30.5% of all cryptocurrency-related security incidents in 2025, according to SlowMist’s year-end report.

Additionally, advancements in artificial intelligence have begun to impact the identification of vulnerabilities, with generative AI models recently being reported to uncover notable smart-contract flaws totalling $4.6 million.