CoW Swap said it suffered no loss – despite $166k exploit
A decentralized exchange (DEX) protocol CoW Swap has been found exploited for $166,000 by hackers who leaked payment contracts containing protocol fees.
Meanwhile, blockchain analytics firm Nansen report The exploiters stole about $180,000 — the funds were consolidated into two wallets containing at least $123,000 of DAI, $50,000 of BNB, and $7,400 of ETH.
Exploit was first spotted By blockchain researcher MevRefund.
CoW Swap Details Exploit
decentralized exchange Said An outside party with access to the Settlement Agreement placed approval on “Inappropriate Agreement” 10 days ago.
Hackers abused this authorization. This is because the fraudulent contract allowed anyone to transfer from the Settlement Agreement.
Blockchain Security Company PeckShield backed up This is an explanation of CoW Swap. According to the company, the DEX GPv2Settlement contract was duped 10 days before him to authorize his DAI spending on SwapGuard.
The abuser then triggered SwapGuard to transfer DAI from the GPv2Settlement contract. This compromise allowed anyone to issue arbitrary calls to the contract.
CoW Swap said there were no losses
Despite the $166,000 exploit, CoW Swap says it suffered no losses as Solver’s bonds pay for all the damage.
“Potential damage is capped at the protocol’s weekly earnings and protected by a combined pool of solvers.”
The DEX added that users’ funds were not affected as they do not hold the funds.
Protocol stated that all approvals for bad contracts had been revoked, adding that no further malicious activity was possible.
User does not need to revoke authorization because Hackers “do not have direct access to user funds unless the user provides a signed order and at least the limit purchase amount in return,” CoW Swap added.