Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
According to PeckShield, Matcha Meta reported that SwapNet suffered a security breach, with losses reaching $16.8 million. The attacker swapped approximately 10.5 million USDC for around 3,655 ETH on Base, and has begun bridging the funds to Ethereum. BlockSec’s analysis indicates that the affected contract is not open-sourced and appears to contain an arbitrary call vulnerability. The attacker abused existing token approval mechanisms to execute transferFrom operations and steal assets. The cumulative losses are estimated at $13.37 million on Base, $3.53 million on Ethereum, $125,000 on Arbitrum, and $15,000 on BSC. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 16,800,000.
- chain
- ethereum
- protocol
- SwapNet
- bug_class
- external-call
- date_occurred
- 2026-01-26
- loss_usd
- $16,800,000
- source_id
- sm:swapnet::2026-01-26