CoWSwap has been hacked for $150,000, according to a statement endorsed by the DeFi protocol.
CoWSwap Hacked For $150,000
According to the team, hackers took advantage of a code flaw in CoWSwap’s settlement contract and made away with $150,000. The amount lost was from fees collected by the DeFi platform.
PSA:
The @CoWSwap settlement contract was exploited for $150k tonight. These $150k are from fees collected by the protocol.
As a trader, there is no reason to worry or revoke approvals.
Cowswap never takes custody of your funds.
All trades are purely atomic.
Moo on — 🐮
— Hasu⚡️🤖 (@hasufl) February 7, 2023
The good news is that the hack didn’t affect any of the protocol’s user funds.
CoWSwap reiterated that though their settlement contract was impacted, the non-custodial nature of their operation means traders don’t have to “worry or revoke” transactions. They added that all trading activities are atomic, seemingly to reassure traders that the hack was contained.
Before this hack, CoWSwap has collected approximately $17.3 million in fees, data from Dune shows.
At present, CoWSwap says they are investigating the hack.
We are aware of an issue that has impacted the fees that CoW Protocol has collected over the past week.
We have mitigated the issue and are conducting an investigation.
Traders are in no way affected.
More details to follow.
— CoW Swap | Better than the best prices (@CoWSwap) February 7, 2023
However, according to analysts’ breakdown, the hacker was specific. Notably, their target was CoWSwap’s settlement contract which stores fees collected by the protocol over the week. As a safety measure, the contract doesn’t interact with user funds. For access, the wallet owner must sign an order approving the transaction. Only then will the hacker gain entry to the user’s “limit-buy amount.”
CoWSwap aggregates prices from decentralized exchanges like Uniswap and other aggregators on Gnosis Protocol v2. Orders are settled peer-to-peer or from on-chain liquidity sources for higher liquidity and protection against Maximal Extractable Value (MEV) attacks via batching, where transaction ordering becomes irrelevant.
MEV attacks can be via sandwiching and front-running. It is common in account-based blockchains like Ethereum and the BNB Smart Chain.
CoWSwap Joins The Creative Alliance
The hack comes hours after CoWSwap joined other DeFi protocols, including Balancer, Yearn Finance, and MakerDAO, in a creative campaign to point out the advantages of DeFi. Participants would share each other’s tweets.
Draper, Yearn’s chief marketing officer (CMO), said the campaign celebrates DeFi, adding that:
There is something special happening in Decentralized Finance. This campaign celebrates what makes DeFi different from the systems it seeks to replace – executed in a way that could only work in this space. We hope it will serve as yet another reminder that, in the wake of CeFi blow-ups, DeFi stands apart through its technological composability and shared values.