Ad
News
CoW Swap said it suffered no loss – despite $166k exploit CoW Swap said it suffered no loss – despite $166k exploit

CoW Swap said it suffered no loss – despite $166k exploit

CoW Swap said an external party that had access to its settlement contract had set approval to a "bad contract" 10 days ago. 

CoW Swap said it suffered no loss – despite $166k exploit

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Join Japan's Web3 Evolution Today

Decentralized exchange (DEX) protocol CoW Swap confirmed that it was exploited for $166,000 by a hacker who drained a settlement contract containing its protocol fees.

Meanwhile, blockchain analytical firm Nansen reported that the exploiter stole roughly $180,000 — the funds were consolidated in two wallets containing at least $123,000 DAI, $50,000 BNB and $7,400 ETH.

The exploit was first spotted by blockchain surveyor MevRefund.

CoW Swap details exploit

The decentralized exchange said an external party that had access to its settlement contract had set approval to a “bad contract” 10 days ago.

The hacker exploited this approval as the bad contract allowed anyone to transfer from the settlement contract.

Blockchain security firm PeckShield corroborated CoW Swap’s explanation. The DEX GPv2Settlement contract was tricked ten days ago to approve SwapGuard for DAI spending, according to the firm.

The exploiter later triggered SwapGuard to transfer the DAI from the GPv2Settlement contract. Through this compromise, anyone could issue an arbitrary call on the contract.

CoW Swap said it suffered no loss

Despite the $166,000 exploit, CoW Swap said it is not suffering any losses as its solver’s bond will pay for all damages.

“Potential damages are capped at the weekly revenue of the protocol + are protected by the solver bonding pools.”

The DEX added that none of its users’ funds were impacted because it does not hold their funds.

The protocol said all the approvals for the bad contract had been revoked, adding that no more malicious actions were possible.

Users do not need to revoke approvals because the hacker “cannot access user funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return,” CoW Swap added.

Mentioned in this article
Posted In: DeFi, DEX, Hacks