SwapNet Loses $13.4 Million Due to Input Validation Flaw Leading to Asset Drain
- What Caused SwapNet’s $13.4 Million Loss?
- Aperture Finance’s $3.67 Million Mistake
- How Are the Platforms Responding?
- Lessons Learned and the Road Ahead
- FAQs
In a shocking turn of events, SwapNet, a decentralized exchange (DEX) aggregator, suffered a massive $13.4 million loss across Ethereum, Arbitrum, Base, and Binance Smart Chain due to a critical input validation vulnerability. Meanwhile, Aperture Finance, a liquidity management protocol, lost $3.67 million in a separate but similarly exploitative attack. Both incidents highlight the dangers of insufficient call restrictions in smart contracts, especially in closed-code systems where external audits are limited. Here’s a deep dive into what went wrong and how the platforms are responding.
What Caused SwapNet’s $13.4 Million Loss?
The root of SwapNet’s vulnerability lay in itsfunction, which lacked proper validation for critical inputs. Attackers exploited this by replacing expected router or pool addresses with token addresses like USDC. This tricked the victim’s contract into treating tokens as valid execution targets, enabling low-level calls with attacker-controlled data. The result? A free-for-all drain of approved assets.
The attack primarily affected users of Matcha Meta, a DeFi platform that had disabled its "Single Approval" feature and granted infinite approvals directly to SwapNet’s contracts. One user alone lost a staggering $13.34 million, with 20 users impacted in total. The exploit began on Base at block 41289829, prompting SwapNet to pause contracts on Base 45 minutes later. However, the delay allowed 13 more users to be hit across three other chains.
Aperture Finance’s $3.67 Million Mistake
Aperture Finance, which manages Uniswap V3 liquidity positions, fell victim to the same class of vulnerability in itsfunction. When invoked, an internal functionexecuted low-level calls using user-provided data without strict restrictions on call targets or function selectors. This let attackers craft malicious calls to siphon ERC-20 tokens and even approve Uniswap V3 position NFTs.
Users at risk were those who had approved the "Instant Liquidity Management" functions. In one ethereum attack, the exploiter created a contract that invoked the vulnerable function with just 100 wei of ETH. After wrapping the native tokens into WETH, the malicious call todrained the approved tokens while bypassing balance checks.
How Are the Platforms Responding?
Both protocols have scrambled to tighten security. SwapNet and Aperture Finance urged users to revoke approvals using tools like. Matcha Meta disabled the option to turn off Single Approval and removed SwapNet from its platform indefinitely, vowing to prioritize security over customization moving forward.
Aperture Finance disabled all affected web app functionalities and is working with top-tier forensic security firms and law enforcement to track the stolen funds. The team is also establishing channels to negotiate fund returns, emphasizing transparency in their recovery efforts.
Lessons Learned and the Road Ahead
These incidents underscore the need for rigorous call restrictions in smart contracts, especially in systems with limited external review. As DeFi grows, the balance between flexibility and security becomes increasingly critical. For users, the takeaway is clear: always scrutinize approvals and opt for single-use permissions where possible.
This article does not constitute investment advice. Always conduct your own research before interacting with DeFi protocols.
FAQs
What was the total loss in the SwapNet attack?
SwapNet lost approximately $13.4 million across Ethereum, Arbitrum, Base, and Binance Smart Chain.
How did the Aperture Finance exploit occur?
The exploit stemmed from insufficient input validation in thefunction, allowing attackers to craft malicious calls and drain approved tokens.
What steps has SwapNet taken post-attack?
SwapNet paused affected contracts across all chains and is working with security firms to investigate. Matcha Meta has also removed SwapNet from its platform temporarily.
Are users at risk if they revoked approvals?
Users who revoked approvals are safe, but those who haven’t should do so immediately using tools like revoke.cash.
