Major Exploit Hits On-Chain DEX Aggregator SwapNet, Draining $16.8 Million in Crypto Assets

On-Chain DEX Aggregator SwapNet Suffers $16.8 Million Exploit

In a significant blow to the decentralized finance (DeFi) landscape, SwapNet, an on-chain decentralized exchange (DEX) aggregator, has fallen victim to a smart contract exploit that drained nearly $16.8 million in crypto assets. The incident, reported by security firm PeckShield, underscores the ongoing security vulnerabilities associated with token approvals and third-party routing contracts in the DeFi ecosystem.

The attack targeted SwapNet-linked activities accessible through Matcha Meta, a meta DEX aggregator developed by the 0x team. On the Base network, the attacker executed a swap of approximately $10.5 million in USDC for around 3,655 ETH, subsequently bridging the funds to Ethereum—a tactic often employed to obfuscate tracking and recovery efforts.

In a statement, Matcha Meta clarified that the exploit did not originate from its core infrastructure. Instead, it affected users who had opted out of 0x’s One-Time Approval system, a security feature designed to limit ongoing token permissions. Users who disabled this option inadvertently granted direct approvals to underlying aggregator contracts, including SwapNet’s router, which ultimately became the attack vector.

“We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time Approvals,” Matcha Meta stated. The platform confirmed it is working closely with the SwapNet team, which has temporarily disabled the affected contracts while investigations are underway.

As a precautionary measure, Matcha Meta urged users to revoke approvals to individual aggregators outside of 0x’s One-Time Approval framework. The platform highlighted SwapNet’s router contract as the most urgent approval to revoke, warning that failure to do so could leave wallets vulnerable even after the exploit has been contained.

DeFi’s Security Trade-Offs: Convenience vs. Safety

This incident highlights a persistent dilemma in DeFi: the trade-off between convenience and security. One-Time Approvals require users to authorize each transaction individually, reducing the risk of ongoing attacks. However, this approach can be cumbersome for frequent traders. Unlimited approvals, while more efficient, grant smart contracts continuous access to user funds, creating a dangerous scenario if those contracts are compromised.

As of now, SwapNet has not released a comprehensive technical post-mortem or indicated whether affected users will receive compensation, leaving many questions about accountability and recovery unanswered. The lack of immediate clarity is likely to intensify scrutiny around approval practices and aggregator integrations across the DeFi landscape.

Another Ethereum Exploit Highlights Risks of Unverified Contracts

The SwapNet exploit is part of a troubling trend of smart contract attacks in the crypto market. On the same day, security auditor Pashov reported a separate exploit on the Ethereum mainnet involving approximately 37 WBTC, valued at over $3.1 million. This incident was linked to a closed-source, unverified contract deployed just 41 days earlier, which only published non-human-readable bytecode, preventing public scrutiny.

Together, these incidents reveal a fertile ground for attackers in DeFi, characterized by unverified code, persistent approvals, and complex routing layers. Despite years of audits and security enhancements, the DeFi sector continues to grapple with structural vulnerabilities, placing the onus on developers and users to navigate the delicate balance between usability and risk management.