Aperture Finance has confirmed a major security exploit affecting its V3 and V4 smart contracts, with estimated losses of around $17 million. The attack, which occurred across multiple blockchains including Ethereum, BNB Chain, Arbitrum, and Base, did not rely on flash loans. Instead, it exploited a contract flaw that allowed attackers to abuse existing wallet approvals, draining funds from users who had previously approved the vulnerable contract.
Early analysis indicates the breach stemmed from an input validation problem in the affected contracts, enabling attackers to trigger arbitrary external calls. This allowed the contract to move approved user funds without proper checks. Following detection, Aperture Finance shut down key frontend functions to prevent new approvals and is working with external security partners on an investigation. The team has urged all users to immediately revoke approvals for the Ethereum mainnet contract address 0xD83d960deBEC397fB149b51F8F37DD3B5CFA8913 using tools like Etherscan or Revoke.cash.
Simultaneously, decentralized exchange aggregator Matcha Meta reported a separate security incident involving its SwapNet integration. Blockchain security firm PeckShield estimates roughly $16.8 million in assets were stolen, while CertiK reported a slightly lower figure of around $13.3 million in USDC on Base. On-chain data shows the attacker swapped about $10.5 million in USDC for approximately 3,655 ETH before bridging funds to Ethereum.
Matcha Meta identified the likely exploit as an "arbitrary call" vulnerability in the SwapNet contract, which allowed the attacker to transfer funds approved to it. The exposure was limited to users who had disabled One-Time Approvals and instead set direct allowances on individual aggregator contracts. Users interacting through One-Time Approval were not affected. In response, Matcha Meta has removed the ability for users to set allowances on aggregators directly.
These incidents highlight a growing trend in DeFi security, where attacks increasingly target permission logic rather than liquidity pools. The combined losses of approximately $33.8 million underscore the persistent risks in the decentralized finance sector, coming amid a broader industry context where cryptocurrency theft totaled more than $3.41 billion in 2025.
