SwapNet Loses $13.4 Million Due to Input Validation Flaw: A Cautionary Tale for DeFi in 2024
- How Did the SwapNet Exploit Unfold?
- What Was the Root Cause?
- Aperture Finance’s Parallel Crisis
- How Are Platforms Responding?
- The Bigger Picture: DeFi’s Security Trade-Offs
- FAQ: Key Questions Answered
In a stark reminder of the risks lurking in decentralized finance (DeFi), SwapNet—a prominent DEX aggregator—suffered a $13.4 million exploit across Ethereum, Arbitrum, Base, and Binance Smart Chain due to a critical input validation flaw. Meanwhile, Aperture Finance lost $3.67 million in a separate but similar attack. Both incidents stemmed from inadequate validation of low-level call data, allowing attackers to drain approved tokens. Here’s a deep dive into what went wrong, how users were affected, and the lessons for the DeFi ecosystem.
How Did the SwapNet Exploit Unfold?
The attack targeted SwapNet’s vulnerable function, where insufficient input validation allowed attackers to substitute expected router/pool addresses with token addresses like USDC. This tricked the protocol into treating tokens as valid execution targets, enabling maliciouscalls. BlockSec’s analysis revealed that attackers exploited existing token approvals, siphoning funds from users who had granted unlimited permissions to SwapNet contracts. The hardest-hit victim lost $13.34 million, with 20 users affected in total.
The exploit began on Base at block 41289829. SwapNet paused contracts on Base within 45 minutes of detection, but delays in pausing other chains allowed 13 additional users to lose funds. Matcha Meta, a DeFi platform integrated with SwapNet, later disabled its "One-Time Approval" feature and removed SwapNet from its interface.
What Was the Root Cause?
Flexibility in smart contract design clashed with security. As BlockSec noted: "These incidents remind us that flexibility must be carefully balanced with strict call restrictions—especially in closed-source systems where external audits are limited." The lack of validation for low-level call targets created a loophole for attackers to hijack approved tokens.
Aperture Finance’s Parallel Crisis
Aperture Finance, a Uniswap V3 liquidity manager, fell victim to an identical flaw in its function. Attackers crafted malicious call data to drain ERC-20 tokens and even approved Uniswap V3 NFT positions. One attacker spent just 100 Wei ETH to initiate a transaction that siphoned WBTC via a manipulatedcall, bypassing balance checks by specifying fake swap outputs.
How Are Platforms Responding?
Both protocols are reevaluating their security postures:
- User Warnings: Urged users to revoke approvals using tools like Revoke.cash.
- Feature Disabling: Matcha Meta disabled one-time approvals; Aperture shut down vulnerable web app functions.
- Recovery Efforts: Aperture is collaborating with cybersecurity firms and law enforcement to trace funds, while SwapNet remains paused indefinitely.
The Bigger Picture: DeFi’s Security Trade-Offs
These exploits highlight a recurring dilemma: the tension between user convenience (unlimited approvals) and security (input validation). As one BTCC analyst observed, "DeFi’s composability is its strength—and its Achilles’ heel." Closed-source systems, like SwapNet’s, compound risks by limiting community oversight.
Data sources: CoinMarketCap, TradingView.
FAQ: Key Questions Answered
What caused SwapNet’s $13.4 million loss?
A flawed function () failed to validate inputs, letting attackers replace contract addresses with token addresses and drain approved funds.
How did Aperture Finance lose $3.67 million?
Its functionexecuted low-level calls without restricting targets, enabling ERC-20 theft via malicious call data.
What should users do now?
Revoke old approvals using Revoke.cash and avoid unlimited permissions unless absolutely necessary.
