On January 26, unknown attackers targeted the liquidity provider SwapNet. The first to report this were the developers of the DEX aggregator Matcha Meta.
We are aware of an incident with SwapNet that users may have been exposed to on Matcha Meta for those who turned off One-Time Approvals.
— Matcha Meta 🎆 (@matchametaxyz) January 25, 2026
We are in contact with the SwapNet team and they have temporarily disabled their contracts.
The team is actively investigating and will provide…
Users of Matcha Meta who disabled the one-time approval feature and manually granted permissions to SwapNet contracts were at risk.
To mitigate such risks in the future, the developers removed this feature.
PeckShield experts assessed the damage at $16.8 million. The attacker converted 10.5 million USDC into 3,655 ETH on the Base network and began withdrawing funds in Ethereum.
#PeckShieldAlert Matcha Meta has reported a security breach involving SwapNet. Users who opted out of "One-Time Approvals" are at risk.
— PeckShieldAlert (@PeckShieldAlert) January 26, 2026
So far, ~$16.8M worth of crypto has been drained.
On #Base, the attacker swapped ~10.5M $USDC for ~3,655 $ETH and has begun bridging funds to… https://t.co/QOyV4IU3P3 pic.twitter.com/6OOJd9cvyF
CertiK analysts reported a theft of $13.3 million in USDC. The affected project's team has not yet commented on the incident.
SwapNet is one of the leading routers for Matcha Meta, providing access to the best quotes or deep liquidity pools.
On-chain detective ZachXBT criticized Circle for its slow response. According to him, about 3 million coins remain in an address that could technically be frozen. However, the company took no action even 10 hours after the hack.
History has shown that Circle is a bad actor.
— ZachXBT (@zachxbt) January 26, 2026
SwapNet contracts were exploited for $13M USDC on Base ~10 hours ago.
3M USDC is still sitting freezable at
0x6cAad74121bF602e71386505A4687f310e0D833e
Why should anyone continue building on $USDC when you never take care of your… pic.twitter.com/fgP3EmS7Qr
"Why should anyone continue building on USDC when you, as a centralized issuer, never protect your users' interests?" — questioned the expert.
The year 2026 has started poorly for the DeFi sector. In January, several decentralized projects were hacked:
- The Ethereum verification protocol Truebit lost 8,535 ETH ($26.4 million) due to a smart contract attack;
- The layer one blockchain Saga lost $7 million in USDC;
- Hackers stole data from 50,000 accounts at the French crypto company Waltio and demanded a ransom.
Recall that in 2025, the total amount stolen reached $3.4 billion — the highest since 2022. Three incidents, including the $1.46 billion Bybit hack, accounted for 69% of all losses.
The CEO of Web3 security platform Immunefi, Mitchell Amador, called the major hack a "death sentence" for 80% of protocols.