- CoW Swap is the victim of the latest DeFi exploit, with the hacker stealing over $180,000 worth of crypto.
- The hacker exploited a smart contract in the “solvers competition” of CoW Swap.
- Despite the exploit, CoW Swap says neither the protocol nor its users suffered any loss.
CoW Swap, a decentralized exchange (DEX), has become the latest DeFi protocol to be exploited after a hacker drained a settlement contract containing its protocol fees, looting over $180,000 worth of crypto.
CoW Swap Suffers DeFi Exploit
In the never-ending attack on DeFi protocols, CoW Swap has become the latest victim. The exploit which happened yesterday was first spotted by the on-chain sleuth MevRefund and confirmed by the CoW Swap team.
According to CoW Swap, the hacker exploited “an external solver and used it to drain the settlement contract, which held seven days’ worth of protocol fees.”
The blockchain analytical firm Nansen reported that the exploiter stole roughly $180,000. According to the report, the hacker consolidated the funds into two wallets containing $123,000 DAI, $50,000 BNB, and $7,400 ETH.
CoW Swap Didn’t Suffer Any Loss
Although CoW Swap confirmed the exploit, the team noted that none of its users were affected. The team also noted that no funds were stolen from the protocol during the exploit.
While over $180,000 was confirmed stolen, the CoW Swap team explained that the solver’s bond would pay for all damages. This means that the protocol did not suffer any direct loss from the exploit. The team tweeted:
.tweet-container,.twitter-tweet.twitter-tweet-rendered,blockquote.twitter-tweet{min-height:261px}.tweet-container{position:relative}blockquote.twitter-tweet{display:flex;max-width:550px;margin-top:10px;margin-bottom:10px}blockquote.twitter-tweet p{font:20px -apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif}.tweet-container div:first-child{ position:absolute!Important }.tweet-container div:last-child{ position:relative!Important }
Last night, a hacker exploited an external solver and used it to drain the settlement contract, which held 7 days worth of protocol fees.Users are not affected since we never hold user funds (!) Neither Cow Swap is affected: The solver's bond will pay for all damages.A— CoW Swap | Better than the best prices (@CoWSwap) February 7, 2023
How Was CoW Swap Exploited?
CoW Swap engages in a so-called “solver competition” where external parties compete to find the best execution route for their users. The team said the exploiter entered the competition ten days ago.
The exploiter hacked the smart contract to allow anyone to transfer from the settlement contract. They then tricked the DEX GPv2Settlement contract to approve SwapGuard for DAI spending.
The hacker would return to trigger SwapGuard to transfer the DAI from the GPv2Settlement contract. During the attack, community members urged users to revoke approvals from the DEX. Cow Swap responded that it wasn’t necessary.
No losses were recorded because CoW Swap is protected from solver exploits by the solver bonding pools. CoW Swap also adds that all the approvals for the bad contract have been revoked, adding that no more malicious actions were possible.
On the Flipside
- MevRefund has also reported that others have been using the same technique to try and steal the funds remaining in the pool.
Why You Should Care
The more sophisticated framework of CoW Swap kept it from being the latest to suffer a loss after being exploited by hackers.
Find more recent DeFi hacks below:
Lending Protocol BonqDAO Loses $120 Million to Hackers
You may also be interested in:
Ways Blockchain Can Be Hacked