PeckShield, the blockchain security data and analytics company, has identified a breach on the CoW Swap DEX which led to a $180,000 exploitation by an attacker.
According to PeckShield, the heist on CoW Swap started about ten days before the time of the report. At the time, an attacker appeared to trick CoW Swap’s GPv2Settlement contract into approving SwapGuard for DAI spending. Having achieved this, the attacker followed up by triggering SwapGuard to transfer DAI from GPv2Settlement.
It seems (1) @CoWSwap's GPv2Settlement contract has been tricked 10 days ago to approve SwapGuard for DAI spending and (2) SwapGuard was just triggered to transfer out DAI from GPv2Settlement. Here are the two related txs: https://t.co/Tb8Sk5xqMR and https://t.co/JS7ejDhiAs https://t.co/Wpbeq4UoEP pic.twitter.com/oRWIzeOLzz
— PeckShield Inc. (@peckshield) February 7, 2023
PeckShield revealed that the attacker transferred funds out of CoW Swap, and as of the time of writing, they had already withdrawn over $180,000 in DAI, ETH, and BNB via Tornado Cash.
Multiple transfers happened in the past few hours that exploited the loophole created by the original attacker. As reported by some users, the allowance created by SwapGuard in the attack left CoW Swap exposed, allowing anyone to make arbitrary function calls. Interested users seem to have exploited this opportunity to scramble for what they can get from the loot, as reported.
CoW Swap has responded to the situation by acknowledging the exploit and informing users of the safety of their operations. According to CoW Swap, the breach only affected the fees that CoW protocol collected over the past week and nothing more. The DEX claimed to have mitigated the issue and has embarked on an investigation.
Giving further assurances, CoW Swap advised users not to revoke approvals, explaining that the CoW Swap settlement contract only stores fees accrued by the protocol over a space of one week. It also reaffirmed that the protocol could not access users’ funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return.