- Matcha Meta users impacted by hack.
- The aggregator has pinned the incident on SwapNet.
- Users should revoke approvals as a precaution.
A hacker has stolen almost $17 million worth of crypto from users of Matcha Meta, a DeFi exchange meta aggregator built by 0x.
The attack began at around 5:10pm London time on January 25. Crypto security firm Peckshield, one of several firms to report the incident, characterised it as a security breach.
At 9:47pm, Matcha Meta confirmed the attack in an X post. It said that the incident was due to SwapNet, an exchange aggregator integrated with the protocol.
Users who had their trades routed through SwapNet and turned off One-Time Approvals are at risk, Matcha Meta said, telling users to revoke all approvals to individual aggregators outside of 0x’s One-Time Approval contracts as a precaution.
“The nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts,” the project said.
Matcha Meta is what’s known in the industry as a meta aggregator. Simply put, it’s a one-stop-shop for traders, searching all the decentralised exchange aggregators out there to find the one that offers the most cost-efficient trades, for a small fee.
DeFi protocol exploits — particularly those targeting older smart contracts — are a huge concern among DeFi developers and crypto security experts.
Last year, hackers swiped over $649 million through code exploits, according to a report from Slowmist, a blockchain security firm.
Unlimited approvals
When DeFi users trade crypto on blockchains like Ethereum, they must first sign a preliminary transaction that lets the exchange they’re using spend the token they want to trade.
Some exchanges and exchange aggregators give users the option to limit this transaction to a one-time approval for just the amount the user wants to sell. But they also let users set unlimited approvals manually that persist after the transaction has been completed.
While doing this can speed up trading and save on transaction fees, it also introduces security risks. In some cases, if the exchange a user has given an unlimited approval to is hacked or exploited, the attacker can use the approval to steal tokens from that user’s wallet.
That appears to be what has happened at SwapNet.
“The root cause appears to be an arbitrary call controlled by the attacker that drains the open allowance to this contract,” Weilin Li, a DeFi security researcher and PhD student at University College London, said on X. “This is the largest approval attack (excluding phishing) I’ve ever seen.”
It’s not clear how a hacker was able to gain access to SwapNet’s smart contracts. SwapNet did not immediately respond to a request for comment.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
