SwapNet: Someone Turned Off the Safety Setting and Lost $13.34 Million

18 Matcha Meta users turned off a safety setting to speed up their trades. An attacker exploited SwapNet's smart contract to drain everything those 18 wallets had approved. One user lost $13.34 million. The other 17 split $90,000. PeckShield called it the largest approval attack in DeFi history.

On January 25, 2026, 18 Matcha Meta users had their wallets drained through a SwapNet smart contract vulnerability - one user alone lost $13.34 million out of a $13.43 million total, the largest non-phishing approval attack in DeFi history

One checkbox. Eighteen users. Thirteen and a third million dollars gone in one afternoon.

On January 25, 2026, 18 users of Matcha Meta had cryptocurrency removed from their wallets without warning. One of those 18 lost $13.34 million. The other 17 split the remaining $90,000.

Here is the full explanation, written for people who have never heard of a DEX aggregator.

When you want to trade one cryptocurrency for another, you can go to an exchange directly. Or you can use an aggregator - software that searches multiple exchanges simultaneously and finds the best available price, the way a flight website compares all airlines at once. Matcha Meta is a meta aggregator, which searches aggregators the way aggregators search exchanges. One extra layer of routing, better prices.

For this to work, Matcha Meta needs permission to move your tokens on your behalf. This is called an approval. By default, Matcha Meta uses a system called One-Time Approval. Every trade requires new permission specifically for that transaction. Safer, one extra step each time.

Some users found this inconvenient. They turned it off. Turning off One-Time Approval granted persistent, unlimited approval directly to the underlying contracts - including SwapNet, one of the aggregators Matcha Meta routed trades through.

On January 25 at 5:10 PM UTC, an attacker found a flaw in SwapNet's smart contract. The flaw was an arbitrary call vulnerability - it let the attacker instruct the contract to transfer any tokens it had standing approval for, from user wallets directly to the attacker's address. Everyone who had disabled One-Time Approval had given SwapNet standing approval for everything in their wallets. There were 18 of them.

Weilin Li, a DeFi security researcher and PhD student at University College London, described it as "the largest approval attack excluding phishing I have ever seen." PeckShield agreed. The attacker drained all 18 wallets before SwapNet paused its contracts approximately 45 minutes after the exploit began. By then the funds had been bridged from Base to Ethereum.

Confirmed loss: $13.43 million. One user: $13.34 million. The other 17 combined: $90,000.

Matcha Meta's own contracts were not compromised. 0x's AllowanceHolder and Settler contracts were not compromised. Every user who kept One-Time Approval enabled was completely unaffected. The flaw existed in SwapNet's contract and only worked against users who had manually disabled the safety feature for convenience.

No recovery has been reported. The funds moved from Base to Ethereum and disappeared.

The math is brutal. The user who lost $13.34 million had clicked a button that said, in effect: I trust this contract with everything I own, permanently. They were trying to avoid approving individual transactions. They saved a few seconds of friction on each trade across weeks or months. They lost $13.34 million in one afternoon.

The feature exists in nearly every DeFi protocol. The vulnerability exists wherever the contracts holding those approvals are less secure than the assets behind them. The setting is usually on by default. Some users turn it off because it feels slow.

Nobody has been identified. Nobody has been charged. The 18 users who disabled the safety setting have received no compensation.