On-chain investigator ZachXBT has issued a scathing critique of stablecoin issuer Circle, accusing the company of negligence after it failed to freeze approximately $3 million in stolen USDC following a $16.8 million exploit of SwapNet contracts on the Base network. The funds reportedly sat in a static wallet for over 10 hours, raising fresh questions about the utility of centralized stablecoins that fail to leverage their censorship capabilities during active security breaches.
The "Sitting Duck" Millions
The controversy stems from a January 26 security incident involving SwapNet, a routing contract integrated into the Matcha DEX aggregator. According to PeckShield, attackers drained approximately $16.8 million from users who had disabled "One-Time Approvals" in favor of unlimited token allowances.
While the attacker quickly swapped roughly $10.5 million of the loot into 3,655 ETH and bridged it to Ethereum to wash the trail, a significant portion remained untouched. ZachXBT identified that $3 million in USDC was left lingering in the attacker's wallet (0x6cAad74121bF602e71386505A4687f310e0D833e) on the Base network.
Despite the transparency of the theft, Circle did not blacklist the address during the critical window.
"How hard is it to do the right thing as a leading centralized stablecoin issuer?" ZachXBT wrote, highlighting the discrepancy between Circle's centralized control and its slow reaction time compared to competitors like Tether.
The Vector: Unlimited Approvals
The exploit was not a failure of the core Matcha protocol or 0x infrastructure. Instead, it targeted the SwapNet router contract specifically. Users who stuck to Matcha's default "One-Time Approval" feature were unaffected. The vulnerability only exposed those who manually opted for "unlimited approvals", a setting often chosen by high-frequency traders to save on gas fees, which inadvertently granted the compromised SwapNet contract permanent access to their wallets.
Institutional Context: The "Worst of Both Worlds"
This incident has reignited a fierce debate regarding the trade-offs of centralized stablecoins (CBDCs). Proponents often argue that the centralization risk of tokens like USDC is offset by the issuer's ability to recover funds during theft. However, ZachXBT's criticism points to a "worst of both worlds" scenario: users suffer the censorship risk of a centralized entity without receiving the protection of swift asset freezing.
This is not the first time Circle has faced such scrutiny. The issuer has previously been contrasted with Tether, which has historically been faster to freeze USDT associated with high-profile hacks, including the recent ledger exploit.
