While the market is trying to hold its positions, the DeFi sector has been shaken by another disaster. On the night of January 25 to 26, 2026, hackers attacked SwapNet - a key liquidity routing hub for the Matcha Meta aggregator.
The estimates of the stolen funds vary, but amount to about $16.8 million (PeckShield) or $13.3 million (CertiK).
The attack was carried out through a vulnerability in the SwapNet contract, which allowed the attacker to transfer users' funds who had granted permanent (not one-time) permissions to this contract.
The attacker has already converted about 10.5 million $USDC to approximately 3,655 $ETH on the Base network and has started transferring them to the main Ethereum network, complicating their tracking.
However, on-chain detective ZachXBT is sounding the alarm: on the hacker's main address, there are still $3,000,000 that can be saved. However, the issuer Circle demonstrates strange passivity.
"More than 10 hours have passed since the hack. Technically, Circle can freeze these assets with one click, but they still haven't done it," notes ZachXBT.
This situation has raised a wave of outrage in the ecosystem: why build on centralized USDC if the issuer does not protect users' interests in critical moments? If Circle ignores a hack of this scale, can we really trust stablecoins in 2026?
⚠️ Matcha Meta and experts strongly recommend to users:
Make sure you are using only one-time contracts 0x.
If you have interacted with SwapNet or other suspicious aggregators, IMMEDIATELY revoke all permissions granted to these contracts.
🛠️ Tools for revoking permissions: Revoke.cash or Etherscan Token Approvals.
Stay vigilant! Keep an eye on updates.
#SwapNet #MatchaMeta #USDC #Circle #ZachXBT #CertiK #DeFiNews #CryptoSecurity #Hack2026