Liquidity Router Compromised on Base Network
Matcha Meta, the meta-DEX aggregator built by 0x, confirmed a critical security breach involving its integrated liquidity provider, SwapNet, resulting in a $16.8 million loss. The exploit, identified early Monday, targeted users on the Base network who had bypassed the platform’s default “One-Time Approval” feature in favor of infinite token permissions.
Security firm PeckShield reported the attacker successfully drained approximately 10.5 million USDC, immediately swapping it for 3,655 ETH (valued at ~$2,936 per Ether) to mitigate freeze risks. The stolen funds were subsequently bridged to the Ethereum mainnet, complicating recovery efforts. Matcha Meta has since disabled the direct permission feature, though core 0x contracts remain unaffected.
The “Infinite Approval” Vector
This incident highlights the dormant risk of infinite token approvals. While Matcha Meta defaults to single-use permissions, a practice designed to limit exposure, power users often enable direct, unlimited approvals to save on gas fees. The attacker leveraged a vulnerability in the SwapNet router contract to siphon funds exclusively from these exposed wallets. No users utilizing the standard One-Time Approval flow were impacted.
ZachXBT: Circle Failed to Act on $3M
The aftermath has sparked a heated debate regarding centralized stablecoin governance. On-chain sleuth ZachXBT publicly criticized USDC issuer Circle for failing to blacklist the attacker’s address, despite a 10-hour window where approximately $3 million in USDC sat idle before being swapped.
“History has proven Circle to be a bad actor. About 3 million coins remain at an address that could technically be frozen. However, the company took no action even 10 hours after the hack.”
The inaction raises fresh questions for institutional actors building on USDC, particularly regarding the responsiveness of its blacklist function during live exploits. As of press time, the stolen ETH remains on mainnet, with no further movement reported.
