- Hackers drained ~$16.8M from Matcha Meta through SwapNet’s router contract. Users must revoke token approvals immediately.
- Smart-contract flaws caused 30% of crypto exploits in 2025, showing DeFi platforms remain highly vulnerable.
- AI tools like GPT-5 are now spotting millions in potential DeFi exploits, reshaping crypto security strategies.
Crypto investors face fresh alarm as decentralized exchange aggregator Matcha Meta experienced a major security breach on Sunday. The attack exploited one of its primary liquidity providers, SwapNet, putting user funds at risk.
Matcha Meta warned that anyone who previously approved token access to SwapNet’s router contract may suffer losses. Consequently, the protocol urged immediate revocation of all approvals to prevent further drain. Blockchain security firms reported varying estimates: CertiK cited $13.3 million stolen, while PeckShield indicated around $16.8 million on the Base network.
The breach unfolded when attackers executed an “arbitrary call in 0xswapnet contract that let attacker to transfer funds approved to it,” according to CertiK. On Base, PeckShield noted, “the attacker swapped ~10.5M USDC for ~3,655 ETH and has begun bridging funds to Ethereum.” Matcha Meta stressed the vulnerability stemmed from SwapNet rather than its own infrastructure.
Rising Smart-Contract Vulnerabilities
This incident follows a concerning trend in crypto losses linked to smart-contract flaws. In 2025, these vulnerabilities caused 30.5% of all exploits, accounting for 56 separate cybersecurity incidents, per SlowMist’s report.
Additionally, account compromises and hacked X accounts comprised 24% of total attacks. Smart contracts’ automated nature makes them lucrative targets, especially when coupled with non-custodial liquidity providers or on-chain pricing oracles.
Artificial intelligence is changing how crypto security works. Last December, AI tools like Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 spotted around $4.6 million worth of potential smart-contract weaknesses in various protocols. This shows AI can help both hackers find vulnerabilities faster and developers fix them sooner, making crypto security more dynamic than ever.
Recent DEX Breaches
Matcha Meta’s breach follows other high-profile incidents. Just six days earlier, Makina Finance lost $4.13 million from its DUSD/USDC liquidity pool on Curve due to a compromised data feed.
CoWSwap revealed a breach last year that used GPv2Settlement smart contracts to siphon $180,000. These attacks show how unrestricted access by external solvers or liquidity providers makes even complex protocols vulnerable.
