Decentralized exchange (DEX) protocol CoW Swap confirmed that it was exploited for $166,000 by a hacker who drained a settlement contract containing its protocol fees.
Meanwhile, blockchain analytical firm Nansen reported that the exploiter stole roughly $180,000 — the funds were consolidated in two wallets containing at least $123,000 DAI, $50,000 BNB and $7,400 ETH.
The exploit was first spotted by blockchain surveyor MevRefund.
CoW Swap details exploit
The decentralized exchange said an external party that had access to its settlement contract had set approval to a “bad contract” 10 days ago.
The hacker exploited this approval as the bad contract allowed anyone to transfer from the settlement contract.
Blockchain security firm PeckShield corroborated CoW Swap’s explanation. The DEX GPv2Settlement contract was tricked ten days ago to approve SwapGuard for DAI spending, according to the firm.
The exploiter later triggered SwapGuard to transfer the DAI from the GPv2Settlement contract. Through this compromise, anyone could issue an arbitrary call on the contract.
CoW Swap said it suffered no loss
Despite the $166,000 exploit, CoW Swap said it is not suffering any losses as its solver’s bond will pay for all damages.
“Potential damages are capped at the weekly revenue of the protocol + are protected by the solver bonding pools.”
The DEX added that none of its users’ funds were impacted because it does not hold their funds.
The protocol said all the approvals for the bad contract had been revoked, adding that no more malicious actions were possible.
Users do not need to revoke approvals because the hacker “cannot access user funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return,” CoW Swap added.