Makina Finance, CoWSwap and Matcha Meta: Matcha Meta reports a security breach, $16.8M drained, with more users at risk

Matcha Meta Suffers $16.8M Exploit via SwapNet Security Breach

On January 25, 2026, Matcha Meta, a swap and bridge aggregation platform built by 0x, confirmed a $16.8 million loss in digital assets due to a security breach in SwapNet, an external aggregator integrated into its interface. The attack occurred over the weekend, targeting users who had disabled Matcha Meta’s "One-Time Approvals" feature and granted direct token permissions to SwapNet.

According to PeckShield, the attacker exploited token approvals to drain funds, swapping 10.5 million USDC from victim addresses on Base (an Ethereum Layer-2) for 3,655 ETH before bridging the assets to the Ethereum mainnet to obscure transaction trails. The breach stemmed from unlimited token allowances, which allowed the attacker to move funds without user signatures once permissions were granted.

Matcha Meta clarified that users who relied on its One-Time Approval system which routes permissions through 0x’s AllowanceHolder and Settler contracts were unaffected. The platform has since disabled direct allowance settings for aggregators and urged users to revoke existing permissions on SwapNet’s router contract.

The incident follows a $4.13 million exploit of Makina Finance on January 19, where attackers drained a DUSD/USDC liquidity pool on Curve via a compromised pricing oracle. DeFi breaches remain persistent in 2026, with similar attacks reported on platforms like CoWSwap in 2025, where a solver account exploit led to $180,000 in DAI losses. Blockchain analytics firm Elliptic notes that such exploits often leverage coin swap services for money laundering.

Source: https://www.cryptopolitan.com/matcha-meta-security-breach-16-8m-drained/

Makina cybersecurity rating report: https://www.rankiteo.com/company/makinafi

CoW DAO cybersecurity rating report: https://www.rankiteo.com/company/cow-protocol

0x cybersecurity rating report: https://www.rankiteo.com/company/0x

"id": "MAKCOW0X1769425866",
"linkid": "makinafi, cow-protocol, 0x",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Users who disabled One-Time '
                                              'Approvals feature',
                        'industry': 'DeFi (Decentralized Finance)',
                        'name': 'Matcha Meta',
                        'type': 'Swap and bridge aggregation platform'}],
 'attack_vector': 'Token approval exploitation',
 'customer_advisories': 'Users who disabled One-Time Approvals should revoke '
                        'SwapNet permissions immediately.',
 'data_breach': {'data_exfiltration': 'Yes (funds bridged to Ethereum mainnet)',
                 'sensitivity_of_data': 'High (cryptocurrency funds)',
                 'type_of_data_compromised': 'Digital assets (USDC, ETH)'},
 'date_detected': '2026-01-25',
 'date_publicly_disclosed': '2026-01-25',
 'description': 'Matcha Meta, a swap and bridge aggregation platform built by '
                '0x, confirmed a $16.8 million loss in digital assets due to a '
                'security breach in SwapNet, an external aggregator integrated '
                'into its interface. The attack targeted users who had '
                "disabled Matcha Meta’s 'One-Time Approvals' feature and "
                'granted direct token permissions to SwapNet. The attacker '
                'exploited token approvals to drain funds, swapping 10.5 '
                'million USDC for 3,655 ETH before bridging the assets to the '
                'Ethereum mainnet.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage',
            'financial_loss': '$16.8 million',
            'operational_impact': 'Disabled direct allowance settings for '
                                  'aggregators',
            'systems_affected': 'SwapNet aggregator, Matcha Meta platform'},
 'initial_access_broker': {'entry_point': 'Token approvals granted to SwapNet'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Unlimited token allowances pose significant security '
                    'risks; One-Time Approval systems are more secure.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Disabled direct allowance '
                                                  'settings for aggregators; '
                                                  'urged users to revoke '
                                                  'permissions',
                            'root_causes': 'Unlimited token allowances granted '
                                           'to SwapNet aggregator'},
 'recommendations': 'Users should revoke unnecessary token permissions and '
                    'enable One-Time Approvals. Platforms should disable '
                    'direct allowance settings for third-party aggregators.',
 'references': [{'source': 'PeckShield'}, {'source': 'Elliptic'}],
 'response': {'communication_strategy': 'Public disclosure and user advisories',
              'containment_measures': 'Disabled direct allowance settings for '
                                      'aggregators',
              'remediation_measures': 'Urged users to revoke existing '
                                      'permissions on SwapNet’s router '
                                      'contract',
              'third_party_assistance': 'PeckShield (blockchain analytics)'},
 'stakeholder_advisories': 'Users advised to revoke SwapNet permissions and '
                           'enable One-Time Approvals.',
 'title': 'Matcha Meta Suffers $16.8M Exploit via SwapNet Security Breach',
 'type': 'Security Breach',
 'vulnerability_exploited': 'Unlimited token allowances'}