CoW Swap Closes Operations Following DNS Hijacking Incident
On April 14, CoW Swap, a key player in the decentralised finance sector, was compelled to suspend all protocol services after a significant cybersecurity breach. The attackers managed to hijack the DNS records for the swap.cow.fi domain at 14:54 UTC, redirecting users to a malicious site designed to extract funds from users’ wallets.
Within a mere three hours of the attack, over US$1 million (approximately AU$1.45 million) was siphoned off, with one trader losing an alarming 219 ETH from their wallet. Fortunately, while the user interface was severely compromised, the underlying smart contracts and on-chain infrastructure remained intact, indicating no breach at the contract level.
The incident was swiftly acknowledged by Cow DAO, the governance body behind CoW Swap, with a public warning issued at 15:41 UTC and confirmation of the DNS compromise by 16:24 UTC. Shortly after, the protocol was put on pause as a preventive measure while the team commenced investigations.
Incident Overview
The breach targeted the swap.cow.fi domain at the registrar level, redirecting users to a near-replica of the legitimate site. This cloned interface misled users into connecting their wallets and authorising transactions that drained their funds. CoW Swap operates as a non-custodial platform, meaning users retain control of their funds, and the protocol’s backend and APIs were not affected. Consequently, the risk to the funds of those not deceived by the malicious interface remained minimal.
According to on-chain data, the theft clocked in at over US$1 million; however, the total extent of the losses is still unclear. A notable flagged address received a significant amount of ETH, suggesting that a single wallet was hit heavily.
User Guidance and Security Measures
In the aftermath of the attack, CoW DAO provided essential guidance to affected users, urging them at 16:33 UTC to revoke all token approvals using revoke.cash, a tool designed to secure tokens in the event of such breaches. The renowned cybersecurity firm Blockaid pinpointed the malicious domains associated with the attack and actively monitored the situation until around 18:15 UTC. They requested transaction hashes from all potentially compromised users for a comprehensive analysis.
This attack echoes similar security incidents in the decentralised finance space, where platforms like Curve Finance and Balancer have faced equivalent threats, underscoring the persistent vulnerabilities within the ecosystem.
CoW Swap’s Unique Model
CoW Swap is renowned for its innovative trading mechanism. It leverages batch auctions and a "Coincidence of Wants" matching system, allowing users to trade directly without excessive reliance on external liquidity. This model aims to mitigate the risks associated with maximum extractable value (MEV) by pairing users more efficiently.
As of the latest updates, CoW Swap remains offline, and no timeline for restoration or further incident analysis has been provided. The ongoing investigation is crucial not only to understand the depth of the attack but also to reinforce security measures to protect user assets in the future.
In summary, the CoW Swap incident is a stark reminder of the ongoing cybersecurity challenges within the cryptocurrency landscape, prompting users and developers alike to remain vigilant in the face of evolving threats.
