Table of Contents
CoW Swap Protocol Halted Following DNS Hijack Attack
On April 14, 2026, CoW Swap, part of the Gnosis ecosystem, suspended its protocol services after a DNS hijacking incident compromised its frontend at approximately 14:54 UTC. This breach redirected users to a fraudulent platform, resulting in the theft of over US$1 million (approximately AU$1.45 million) in cryptocurrency assets within a mere three hours.
The attack was identified shortly after it occurred, prompting CoW DAO to issue a public alert at 15:41 UTC and confirm the DNS records compromise by 16:24 UTC. While the backend systems and smart contracts of CoW Swap remained untouched, the protocol was taken offline as a precautionary measure. Notably, as a non-custodial protocol, users’ funds are maintained in their wallets, mitigating direct contract-level losses.
Details of the Exploit
The targeted domain, swap.cow.fi, was hijacked at the registrar level, manipulating traffic to a cloned interface designed to mislead users into connecting their wallets and authorising transactions. Analysis of on-chain transactions revealed that one wallet alone lost 219 ETH, contributing to the overall substantial loss. Despite the immediate financial damage, the full scope of the attack remains unclear as investigations continue.
User Guidance and Response
In a proactive response, by 16:33 UTC, Cow DAO urged affected users to revoke all token approvals via revoke.cash to safeguard against further unauthorized transactions. Blockchain security firm Blockaid identified and flagged the malicious domains involved in the attack, including swap.cow.fi and cow.fi, monitoring the situation until around 18:15 UTC. They sought transaction hashes from users who might have been impacted.
This incident is reminiscent of similar attacks that have previously affected well-known platforms such as Curve Finance and Balancer.
CoW Swap’s Mechanism
CoW Swap employs an innovative trading method through batch auctions and “Coincidence of Wants” matching, linking users directly to eliminate reliance on external liquidity and minimise maximum extractable value (MEV). As of now, CoW Swap has not provided a timeline for reinstating its services or a detailed post-incident analysis.
As the cryptocurrency landscape continues to evolve, instances such as this highlight the ongoing challenges faced by decentralised finance (DeFi) protocols in securing their ecosystems against hacking threats and emphasise the importance of user vigilance in safeguarding their assets.
This situation serves as a stark reminder of the vulnerabilities present in digital finance systems, and as such, users are advised to stay informed and exercise caution in their transactions.
