SwapNet Exploit Drains $17M, Exposes DeFi Approval Risks

TheNewsCryptoPublicado em 2026-01-26Última atualização em 2026-01-26

Resumo

A significant security breach occurred at DEX aggregator SwapNet, resulting in a loss of approximately $16.8 million. The exploit was first identified by security firm PeckShield. The attacker swapped $10.5 million in USDC for Ether on Base network and bridged the funds to Ethereum. The vulnerability stemmed from users disabling the "One-Time Approval" feature designed to restrict token permissions. By doing so, they inadvertently granted direct and persistent approvals to underlying contracts, including SwapNet’s router, which the attacker exploited. Matcha Meta, the meta-DEX aggregator through which SwapNet was accessed, clarified that the issue did not originate from its core system but from this user configuration choice. SwapNet paused its contracts to mitigate further damage and investigate the incident. Users were urged to revoke approvals granted outside the One-Time Approval framework, especially for SwapNet’s router. The event underscores a critical DeFi trade-off: one-time approvals enhance security but add friction, while unlimited approvals improve usability but create persistent risk if a platform is compromised. This incident is part of a broader pattern of exploits targeting unverified code and standing approvals, highlighting ongoing risks in DeFi’s interconnected ecosystem. SwapNet has not yet released a technical post-mortem or confirmed user compensation.

A massive smart contract hack has been identified in the on-chain DEX aggregator SwapNet, which resulted in crypto assets to the tune of close to $16.8 million being siphoned off.

Peck Shield, a security company, first reported the attack, noting the suspicious action on the platform’s SwapNet integrations, which can be found through Matcha Meta, a meta-Dex aggregator platform that the 0x team designed. On the Base network, the hacker swapped $10.5 million in USDC tokens for approximately 3,655 Ether. The attacker then bridged the funds to the Ethereum network, which can be complicated to track and trace.

Matcha Meta explained, however, that the bug didn’t even emanate from its primary stack. The issue for users began with them disabling 0x’s own feature, called “One-Time Approval,” which is designed to restrict tokens’ permissions. In disabling this, users inadvertently allowed approvals directly, rather than restricting them, even for underlying aggregator contracts like SwapNet’s router, which is used by this attacker.

Matcha Meta recognized this publicly and stated that it had collaborated with the SwapNet team. SwapNet had paused the smart contracts to contain the damage and identify the exploit path for their investigation.

Approval settings under scrutiny

The platform urged users to immediately revoke approvals granted outside the One-Time Approval framework. It highlighted SwapNet’s router contract as a priority target for revocation. Without intervention, wallets would have remained exposed even after the exploit stopped.

This situation highlights an important trade-off inherent in DeFi applications. With One-Time Approvals, each transaction must be separately authorized. This, of course, helps with reduced permissions but also introduces friction. By contrast, Unlimited approvals facilitate smooth trading but grant contracts persistent access to funds. When attackers compromise a contract, those standing permissions become a direct risk.

SwapNet has not yet published a detailed technical post-mortem. The team also has not confirmed whether it will compensate affected users. That lack of clarity adds pressure on aggregator platforms to improve transparency and tighten integration standards.

Broader pattern of smart contract risks

The SwapNet exploit has not happened in a vacuum. In fact, on the same day, a different Ethereum exploit was spotted by Pashov, a security auditor, where about 37 WBTC, valued at over $3.1 million, was stolen. The exploit targeted a closed-source and unverified code deployed just weeks earlier. In fact, this code exposed the bytecode only, and it was difficult to evaluate it easily.

All of these attacks create a sense of a topological threat landscape on DeFi protocols, specifically around unverified codes, continuous token approvals, and complex routing layers connecting various protocols. Clearly, in spite of improved audits and better tools, threat actors continue to leverage design optimization and integration blind spots.

As DeFi grows more interconnected, developers must harden approval systems and reduce hidden trust assumptions. Meanwhile, users must actively manage permissions and understand the security implications of convenience features. The SwapNet exploit shows that small configuration choices can have multi-million-dollar consequences.

Highlighted Crypto News:

Japan Targets First Crypto ETFs Approval by 2028

Perguntas relacionadas

QWhat was the total amount of crypto assets drained in the SwapNet exploit?

AClose to $16.8 million (or $17 million) in crypto assets was drained.

QWhich security company first reported the SwapNet attack and on which platform's integrations was the suspicious action noted?

APeckShield first reported the attack, noting the suspicious action on the platform's SwapNet integrations, which can be found through Matcha Meta.

QWhat specific user action, related to a 0x feature, inadvertently allowed the vulnerability to be exploited?

AUsers disabling the 'One-Time Approval' feature, which is designed to restrict tokens' permissions, inadvertently allowed direct and persistent approvals.

QAccording to the article, what is the critical trade-off between 'One-Time Approvals' and 'Unlimited Approvals' in DeFi?

AOne-Time Approvals reduce permissions but introduce friction by requiring separate authorization for each transaction, while Unlimited Approvals facilitate smooth trading but grant contracts persistent access to funds, creating a direct risk if a contract is compromised.

QBesides the SwapNet incident, what other exploit was reported on the same day and what was the value of the assets stolen?

AA different Ethereum exploit was spotted by security auditor Pashov on the same day, where about 37 WBTC, valued at over $3.1 million, was stolen.

Leituras Relacionadas

Hoskinson Denies Cardano Exit Rumors: ‘I’m Not Leaving’

Cardano founder Charles Hoskinson dismissed rumors of his departure, clarifying in a June 4 livestream that he is only stepping back from public communication, not resigning from the project. This followed community concern after his "taking a break" post on X. Hoskinson cited an unsustainable level of online toxicity, with nearly one-third of replies to his posts being hostile or abusive, making meaningful engagement nearly impossible. While acknowledging X's role in crypto information flow, he stated the psychological cost is too high. He emphasized his focus remains on technological development like RealFi, Midnight, and research, not on ADA's price. Hoskinson described a "tale of two Cardanos": significant protocol advancements versus poor market performance leading critics to label it a failure. He called for the community to resolve this dissonance by moving discussions away from X, rethinking incentives, and developing a new shared roadmap. He was critical of the Cardano Foundation's lack of accountability. Hoskinson announced he will take time away from public videos and social media to reflect, but will continue working on Midnight. He stated he will only engage in channels where he is treated with respect and dignity.

bitcoinistHá 18m

Hoskinson Denies Cardano Exit Rumors: ‘I’m Not Leaving’

bitcoinistHá 18m

There’s An FOMC Meeting Scheduled This Month, But Will The Fed Decision Affect Bitcoin?

The Federal Open Market Committee (FOMC) is scheduled to meet on June 16-17, with markets widely expecting the Fed to maintain interest rates at their current level of 3.5-3.75%. According to the CME FedWatch Tool, there is a 99.4% probability of rates remaining unchanged. The outcome of this meeting is anticipated to impact Bitcoin's price. If rates are held steady, Bitcoin's current market trajectory is likely to continue unchanged. Conversely, an unexpected rate hike could trigger bearish sentiment by reducing investor risk appetite and market liquidity, potentially leading to sell-offs. A rate cut, though currently considered improbable, would be the most bullish scenario, encouraging investment in risk assets like Bitcoin and potentially driving its price higher.

bitcoinistHá 1h

There’s An FOMC Meeting Scheduled This Month, But Will The Fed Decision Affect Bitcoin?

bitcoinistHá 1h

Anthropic's IPO Launch: Commercial Miracle or Valuation Bubble?

Anthropic has confidentially filed for an IPO, led by Morgan Stanley and Goldman Sachs, potentially going public by October. Following its latest $650 billion funding round, its pre-IPO valuation stands at $965 billion, with projections reaching up to $2 trillion at listing, which would make it the highest-valued private company ever. The article, written by Fu Sheng, addresses skepticism that this represents an AI bubble akin to the 2000 dot-com crash. It argues the current situation differs fundamentally. Unlike the internet bubble era, which relied on speculative narratives with little revenue, Anthropic's valuation is backed by unprecedented, measurable financial performance. Key data points include: * **Revenue Growth:** ARR skyrocketed from $10 billion in early 2025 to $470 billion by May 2026, targeting $100 billion by year-end—a growth curve unmatched in business history. * **Profitability:** It achieved operating profitability in Q2 2026 with an estimated $5.6 billion profit. * **Efficiency:** With ~3,000 employees and ~$470 billion ARR, its revenue per employee exceeds $10 million. Products like Claude Code, launched less than a year ago, already generate $25 billion in annualized revenue. * **Enterprise Adoption:** It boasts a strong enterprise client base, with 8 of the Fortune 10 and over 1,000 large firms spending over $1 million annually on Claude. The valuation is framed using a traditional SaaS model (e.g., a 10x Price-to-Sales multiple on $100 billion revenue). The author contends the core question for analysts has shifted from "How big could this be?" to "How much is it earning and will earn next quarter?" The discussion extends beyond Anthropic to a broader paradigm shift: the transition from a "carbon-based" to a "silicon-based" economy. Companies are increasingly prioritizing investment in compute and AI capabilities over human resources, as these directly scale productivity and competitive advantage. Anthropic's IPO is thus positioned not just as a corporate milestone, but as a price anchor for this new economic era.

链捕手Há 1h

Anthropic's IPO Launch: Commercial Miracle or Valuation Bubble?

链捕手Há 1h

US Senators Press Bank Regulators For ‘Fair’ Crypto Capital Rules

A group of U.S. Senate Republicans, led by Senator Cynthia Lummis, is urging federal bank regulators to establish clear and fair capital rules for banks involved with crypto assets. In a letter to the Federal Reserve, FDIC, and OCC, the lawmakers criticized the international Basel Committee's standards, which impose a punitive 1,250% risk weight on crypto assets, calling it a de facto ban not based on actual risk. They applauded recent interagency guidance that granted tokenized securities the same capital treatment as traditional ones, arguing this risk-based principle should apply consistently to all digital assets. The senators called on the agencies to develop a new capital framework, aligning with recent legislative progress on crypto market structure. Their push coincides with testimonies from top regulators, who emphasized a shift toward more risk-based supervision and responsible innovation, while also addressing stablecoin oversight under new proposals.

bitcoinistHá 2h

US Senators Press Bank Regulators For ‘Fair’ Crypto Capital Rules

bitcoinistHá 2h

Near Returns to the AI Stage: Transformation into a Public Chain Due to 'Payroll Difficulties,' Agent and Privacy Emerge as New Growth Narratives

NEAR Returns to AI Origins: From Payroll Struggles to Blockchain, Now Focusing on AI Agents and Privacy NEAR Protocol's journey began not with grand blockchain ambitions, but from a practical hurdle: its AI startup founders, including Transformer paper co-author Illia Polosukhin, couldn't efficiently pay international developers in 2017. This led them to pivot and build a high-performance, scalable blockchain. After years navigating various crypto narratives like sharding and cross-chain interoperability, NEAR is now leveraging its AI roots to re-enter the AI arena. A key driver is its "NEAR Intents" layer, which abstracts complex cross-chain transactions. Users simply state their goal (e.g., swap BTC for ETH), and a solver network finds the optimal route. This system has processed over $20B in cross-chain volume, generating significant fee revenue. A major growth area is private transactions via "Confidential Intents/Swaps," which hide trade details until settlement to protect against MEV and front-running. Remarkably, private swaps recently accounted for over 40% of NEAR's transaction volume, highlighting strong demand but also potential regulatory scrutiny. With its AI-founder pedigree, NEAR is positioning itself at the intersection of blockchain, AI agents, and privacy, aiming to become infrastructure for the emerging agent economy while navigating the challenges of its rapid adoption.

marsbitHá 4h