SwapNet Exploit Drains $17M, Exposes DeFi Approval Risks

• The exploitation of the smart contract resulted in the loss of approximately $17 million due to SwapNet.
• The users, having disabled the feature for one-time approvals, were exposed to persistent token permissions.
• This episode again demonstrates the security compromises available in DeFi.

A massive smart contract hack has been identified in the on-chain DEX aggregator SwapNet, which resulted in crypto assets to the tune of close to $16.8 million being siphoned off. 

Peck Shield, a security company, first reported the attack, noting the suspicious action on the platform’s SwapNet integrations, which can be found through Matcha Meta, a meta-Dex aggregator platform that the 0x team designed. On the Base network, the hacker swapped $10.5 million in USDC tokens for approximately 3,655 Ether. The attacker then bridged the funds to the Ethereum network, which can be complicated to track and trace.

Matcha Meta explained, however, that the bug didn’t even emanate from its primary stack. The issue for users began with them disabling 0x’s own feature, called “One-Time Approval,” which is designed to restrict tokens’ permissions. In disabling this, users inadvertently allowed approvals directly, rather than restricting them, even for underlying aggregator contracts like SwapNet’s router, which is used by this attacker.

Matcha Meta recognized this publicly and stated that it had collaborated with the SwapNet team. SwapNet had paused the smart contracts to contain the damage and identify the exploit path for their investigation.

Approval settings under scrutiny

The platform urged users to immediately revoke approvals granted outside the One-Time Approval framework. It highlighted SwapNet’s router contract as a priority target for revocation. Without intervention, wallets would have remained exposed even after the exploit stopped.

This situation highlights an important trade-off inherent in DeFi applications. With One-Time Approvals, each transaction must be separately authorized. This, of course, helps with reduced permissions but also introduces friction. By contrast, Unlimited approvals facilitate smooth trading but grant contracts persistent access to funds. When attackers compromise a contract, those standing permissions become a direct risk.

SwapNet has not yet published a detailed technical post-mortem. The team also has not confirmed whether it will compensate affected users. That lack of clarity adds pressure on aggregator platforms to improve transparency and tighten integration standards.

Broader pattern of smart contract risks

The SwapNet exploit has not happened in a vacuum. In fact, on the same day, a different Ethereum exploit was spotted by Pashov, a security auditor, where about 37 WBTC, valued at over $3.1 million, was stolen. The exploit targeted a closed-source and unverified code deployed just weeks earlier. In fact, this code exposed the bytecode only, and it was difficult to evaluate it easily.

All of these attacks create a sense of a topological threat landscape on DeFi protocols, specifically around unverified codes, continuous token approvals, and complex routing layers connecting various protocols. Clearly, in spite of improved audits and better tools, threat actors continue to leverage design optimization and integration blind spots.

As DeFi grows more interconnected, developers must harden approval systems and reduce hidden trust assumptions. Meanwhile, users must actively manage permissions and understand the security implications of convenience features. The SwapNet exploit shows that small configuration choices can have multi-million-dollar consequences.

Highlighted Crypto News:

Japan Targets First Crypto ETFs Approval by 2028