CoW Swap said it suffered no loss – despite $166k exploit

Decentralized exchange (DEX) protocol CoW Swap confirmed that it was exploited for $166,000 by a hacker who drained a settlement contract containing its protocol fees.

Meanwhile, blockchain analytical firm Nansen reported that the exploiter stole roughly $180,000 — the funds were consolidated in two wallets containing at least $123,000 DAI, $50,000 BNB and $7,400 ETH.

The exploit was first spotted by blockchain surveyor MevRefund.

CoW Swap details exploit

The decentralized exchange said an external party that had access to its settlement contract had set approval to a “bad contract” 10 days ago.

The hacker exploited this approval as the bad contract allowed anyone to transfer from the settlement contract.

Blockchain security firm PeckShield corroborated CoW Swap’s explanation. The DEX GPv2Settlement contract was tricked ten days ago to approve SwapGuard for DAI spending, according to the firm.

The exploiter later triggered SwapGuard to transfer the DAI from the GPv2Settlement contract. Through this compromise, anyone could issue an arbitrary call on the contract.

CoW Swap said it suffered no loss

Despite the $166,000 exploit, CoW Swap said it is not suffering any losses as its solver’s bond will pay for all damages.

“Potential damages are capped at the weekly revenue of the protocol + are protected by the solver bonding pools.”

The DEX added that none of its users’ funds were impacted because it does not hold their funds.

The protocol said all the approvals for the bad contract had been revoked, adding that no more malicious actions were possible.

Users do not need to revoke approvals because the hacker “cannot access user funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return,” CoW Swap added.

Posted In: DeFi, DEX, Hacks
Bookmark (0)

Related Posts

USDC issuer Circle issues warning about hacked executive account

USDC issuer Circle issues warning about hacked executive account

The hacker tweeted about a fake USDC airdrop to compensate holders who held the stablecoin during its depeg.

Bookmark (0)
Former Coinbase CTO urges ‘get to Bitcoin’ before CBDC digital lockdown

Former Coinbase CTO urges ‘get to Bitcoin’ before CBDC digital lockdown

Balaji Srinivasan warns of impending financial tyranny under CBDC system, advocates for Bitcoin as a solution.

Bookmark (0)

Virtual Duo Babka and Nushi Honor Game Developers Worldwide at GDC

Bookmark (0)
DeFi insurance grew in 2022 to include nearly two dozen providers

DeFi insurance grew in 2022 to include nearly two dozen providers

A new report published using industry data shows that DeFi insurance claims paid out a total of $34.4 million in 2022.

Bookmark (0)
Sushi and its ‘head chef’ receive SEC subpoena

Sushi and its ‘head chef’ receive SEC subpoena

The SushiSwap group and its leader aim to create a $3 million legal defense fund.

Bookmark (0)
OneCoin associate Irina Dilkinska charged following US extradition

OneCoin associate Irina Dilkinska charged following US extradition

Dilkinska is the latest individual to face charges in a $4 billion crypto scam.

Bookmark (0)

Leave a Reply

Your email address will not be published. Required fields are marked *