On January 26th, unknown attackers targeted the liquidity provider SwapNet. The first to highlight this were developers of the DEX aggregator Matcha Meta.
We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time Approvals
We are in contact with the SwapNet team and they have temporarily disabled their contracts
The team is actively investigating and will provide…
— Matcha Meta 🎆 (@matchametaxyz) January 25, 2026
Users of Matcha Meta who had disabled the one-time approval feature and manually granted permissions to SwapNet contracts were at risk.
To prevent similar risks in the future, developers removed this feature.
PeckShield specialists estimated the damage at $16.8 million. The perpetrator converted 10.5 million USDC into 3,655 ETH on the Base network and began transferring funds to Ethereum.
#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of “One-Time Approvals” are at risk.
So far, ~$16.8M worth of crypto has been drained.
On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF
— PeckShieldAlert (@PeckShieldAlert) January 26, 2026
CertiK analysts reported a theft of $13.3 million in USDC. The affected project’s team has yet to comment on the incident.
SwapNet is one of Matcha Meta’s leading routers for obtaining the best quotes or accessing deep liquidity pools.
On-chain detective ZachXBT noted Circle’s slow response. According to him, about 3 million coins remain at an address that could technically be frozen. However, the company took no action even 10 hours after the hack.
History has shown that Circle is a bad actor.
SwapNet contracts were exploited for $13M USDC on Base ~10 hours ago.
3M USDC is still sitting freezable at
0x6cAad74121bF602e71386505A4687f310e0D833eWhy should anyone continue building on $USDC when you never take care of your… pic.twitter.com/fgP3EmS7Qr
— ZachXBT (@zachxbt) January 26, 2026
“Why should anyone continue building on USDC when you, as a centralized issuer, never protect your users’ interests?” the expert asked.
The year 2026 has started poorly for the DeFi sector. In January, several decentralized projects were hacked:
- The Ethereum verification protocol Truebit lost 8,535 ETH ($26.4 million) due to a smart contract attack;
- The first-level blockchain Saga lost $7 million in USDC;
- Hackers stole data from 50,000 accounts of the French crypto company Waltio and demanded a ransom.
In 2025, the volume of stolen funds reached $3.4 billion, the highest since 2022. Three incidents, including the $1.46 billion Bybit hack, accounted for 69% of all losses.
Mitchell Amador, CEO of the Web3 security platform Immunefi, called a major hack a “death sentence” for 80% of protocols.