SwapNet loses $13.4 million after input validation flaw enables asset drain

Blockchain security firm BlockSec has released a technical analysis of the attacks that hit two decentralized finance protocols, resulting in losses of more than $17 million.

SwapNet, a DEX aggregator, suffered losses of over $13.4 million across Ethereum, Arbitrum, Base, and Binance Smart Chain, while Aperture Finance, which manages concentrated liquidity positions, lost an estimated $3.67 million in a concurrent but unrelated incident.

“The victim contracts expose an arbitrary-call capability due to insufficient input validation, allowing attackers to abuse existing token approvals and invoke transferFrom to drain assets,” BlockSec stated in a summary of its analysis on X.

The security firm stated, “These incidents serve as a reminder that flexibility in contract design must be carefully balanced with strict call constraints, especially in closed-source systems where external review is limited.”

What was behind SwapNet’s vulnerability?

In the SwapNet case, the vulnerability came from the function 0x87395540(), which lacked proper validation on critical inputs. 

By replacing expected router or pool addresses with token addresses such as USDC, attackers tricked the victim contract into treating tokens as valid execution targets. 

This led to low-level calls being executed with attacker-controlled calldata, enabling the victim contract to perform calls that allowed the attacker to siphon all approved assets.

The vulnerability impacted users of Matcha Meta, a DeFi exchange meta-aggregator, who had disabled the platform’s “One-Time Approval” setting and granted infinite approval directly to SwapNet contracts.

The largest single loss came from one user who lost around $13.34 million. In total, 20 users were affected. The attack began on Base at block 41289829, prompting SwapNet to pause contracts on Base 45 minutes after the initial exploit was detected. It also paused contracts on other chains shortly after; however, during that window, an additional 13 users were affected across three chains.

Similar weakness hit Aperture Finance

Aperture Finance, which manages Uniswap V3 liquidity positions on behalf of users, fell victim to the same class of vulnerability in its function 0x67b34120(). 

When this function was invoked, an internal function 0x1d33() executed low-level calls using calldata supplied by users without enforcing strict constraints on the call target or function selector.

This enabled attackers to construct malicious calldata that siphoned ERC-20 tokens and also approved Uniswap V3 position NFTs.

Users who had authorized approvals for “Instant Liquidity Management” features were the ones at risk from this attack.

In one representative attack on Ethereum, the attacker created a contract that invoked the vulnerable function with just 100 wei of ETH. After wrapping the native tokens into WETH, the malicious call to WBTC.transferFrom() was executed, allowing the attacker to drain approved tokens while passing a balance check by specifying their own swap output value.

What changes are the affected platforms making? 

The incidents have prompted both protocols to reassess their approach to security. First, both protocols asked their users to revoke approvals using tools such as Revoke.cash. 

Matcha Meta stated that it has disabled the toggle that allows users to turn off One-Time Approval. It has also removed SwapNet from its platform until further notice, while stating that “Erring on the side of customizability over security is not a posture we will allow moving forward.”

Aperture Finance stated that it has disabled all affected web application functionalities. On its recovery efforts, it stated, “We are working closely with top-tier forensic security firms and are coordinating with law enforcement to trace funds,” while adding that it is also establishing channels to negotiate the return of funds as well.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.