A hacker has stolen almost $17 million worth of crypto from users of Matcha Meta, a DeFi exchange meta aggregator built by 0x. The attack began at around 5:10pm London time on January 25. Crypto security firm Peckshield, one of several firms to report the incident, characterised it as a security breach. At 9:47pm, Matcha Meta confirmed the attack in an X post. It said that the incident was due to SwapNet, an exchange aggregator integrated with the protocol. Users who had their trades routed through SwapNet and turned off One-Time Approvals are at risk, Matcha Meta said, telling users to revoke all approvals to individual aggregators outside of 0x’s One-Time Approval contracts as a precaution. “The nature of the incident was not associated with 0x’s AllowanceHolder or Settler contracts,” the project said. Matcha Meta is what’s known in the industry as a meta aggregator. Simply put, it’s a one-stop-shop for traders, searching all the decentralised exchange aggregators out there to find the one that offers the most cost-efficient trades, for a small fee. DeFi protocol exploits — particularly those targeting older smart contracts — are a huge concern among DeFi developers and crypto security experts. Last year, hackers swiped over $649 million through code exploits, according to a report from Slowmist, a blockchain security firm. Unlimited approvals When DeFi users trade crypto on blockchains like Ethereum, they must first sign a preliminary transaction that lets the exchange they’re using spend the token they want to trade. Some exchanges and exchange aggregators give users the option to limit this transaction to a one-time approval for just the amount the user wants to sell. But they also let users set unlimited approvals manually that persist after the transaction has been completed. While doing this can speed up trading and save on transaction fees, it also introduces security risks. In some cases, if the exchange a user has given an unlimited approval to is hacked or exploited, the attacker can use the approval to steal tokens from that user’s wallet. That appears to be what has happened at SwapNet. “The root cause appears to be an arbitrary call controlled by the attacker that drains the open allowance to this contract,” Weilin Li, a DeFi security researcher and PhD student at University College London, said on X. “This is the largest approval attack (excluding phishing) I’ve ever seen.” It’s not clear how a hacker was able to gain access to SwapNet’s smart contracts. SwapNet did not immediately respond to a request for comment. Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
Hacker Steals $17M from Matcha Meta Users in DeFi Security Incident
DL NewsShare
Summary
A DeFi exploit hit Matcha Meta users on January 25, with a hacker stealing $17 million through SwapNet, an integrated exchange aggregator. Matcha Meta confirmed the security breach, noting that users with unlimited approvals on SwapNet are at risk. The incident exposes vulnerabilities in older smart contracts, raising concerns over DeFi exploit risks.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.