SwapNet Exploit Drains $16.8M; ZachXBT Blasts Circle’s ‘Bad Faith’ Inaction
A $16.8M drain on SwapNet exposes approval risks while ZachXBT tears into Circle for failing to freeze $3M in stolen USDC.
Base Network. Another day, another bridge-related liquidity event. Matcha Meta confirmed early Monday that its SwapNet router suffered a critical security breach, draining approximately $16.8 million in user funds. The attack specifically targeted users who had disabled the protocol’s "One-Time Approval" safety feature, effectively punishing the most active traders for prioritizing efficiency over security.
The Mechanism: Convenience as a Vector
The exploit was surgical. According to on-chain security firm PeckShield, the attacker leveraged open token approvals, a setting many power users toggle to avoid paying gas fees on every trade, to drain wallets interacting with the SwapNet contract. Once access was secured, the exploiter executed a rapid liquidation of 10.5 million USDC, swapping it for approximately 3,655 ETH on the Base network.
Liquidity on Base stuttered immediately following the drain. Ethereum (ETH) dipped 2.3% to $2,870 as the market priced in the looming sell pressure. The attacker has already begun bridging the illicit ETH to the Ethereum mainnet, a classic laundering step utilizing privacy mixers like Tornado Cash.
The Controversy: ZachXBT Calls Out Circle
While the technical vector is a known DeFi hazard, the institutional response, or lack thereof, has ignited a firestorm. On-chain sleuth ZachXBT publically flayed Circle, the issuer of USDC, for failing to blacklist the attacker’s address in time.
"Circle had 10 hours to freeze 3M USDC sitting in the exploiter’s wallet. They did nothing. History has shown Circle is a bad actor when it comes to protecting users," ZachXBT wrote.
The criticism highlights a growing rift between centralized stablecoin issuers and the DeFi community. While Tether (USDT) often freezes funds within minutes of a major hack, Circle has increasingly adopted a policy of waiting for formal law enforcement requests, a delay that effectively renders the "centralized" safety net useless during live exploits.
Market Implications
The immediate fallout is localized but severe for Matcha Meta users. The protocol has paused all contracts, but for those with infinite approvals already signed, the damage is irreversible unless a whitehat recovery occurs. For the broader market, the focus shifts to the 3,655 ETH now moving across chains. If the attacker dumps the stash on-market, thin liquidity on weekend-adjacent trading hours could exacerbate ETH’s slide toward the $2,850 support level.
