CoW Swap, a decentralized exchange (DEX) aggregator, recently suffered an attack resulting in a loss of at least 550 BNB worth over $180,000 due to a contract exploit that allowed unauthorized transfers of funds.
The event, which happened yesterday, was first flagged by blockchain surveyor MevRefund. The MEV searcher warned the users over a Twitter thread.
@CoWSwap your funds appear to be moooving away …https://t.co/li1NkXNeUp
— MevRefund (@MevRefund) February 7, 2023
Smart contract auditor Blocksec reported that a multisig wallet address was added as a “solver” for CoW Swap. The address then activated a transaction to approve the transfer of DAI to SwapGuard, causing the latter to move the DAI from the CoW Swap settlement contract to other addresses.
1/ Looks like 0x55a37a2e5e5973510ac9d9c723aec213fa161919 was added as a "solver" of @CoWSwap by the multisig in this tx: https://t.co/7jXhh2vBKh
— BlockSec (@BlockSecTeam) February 7, 2023
Then 0x55a invokes the tx to approve DAI to SwapGuardhttps://t.co/VjlfXHn5GF pic.twitter.com/bHLvWnsckn
“A lesson learned. A contract with the interface of arbitrary call should not have any allowance, 0x55a37a2e5e5973510ac9d9c723aec213fa161919 made the mistake and approved the maximum value of DAI to SwapGuard, which is the root cause of the attack,” wrote Blocksec.
According to blockchain security firm PeckShield, an estimated 551 BNB tokens were moved to crypto mixer Tornado Cash.
#PeckshieldAlert @CoWSwap exploiter has transferred ~551 $BNB ($181.6k) to Tornado Cash pic.twitter.com/WepbstD6Xd
— PeckShieldAlert (@PeckShieldAlert) February 7, 2023
The CoW Swap team confirmed the hack, reporting that only the protocol fees of last 7 days were affected. All of the users’ funds were safe since the protocol never holds any user assets.
CoW also said that the protocol hasn’t suffered any losses because the solver’s bond will cover the damage.
Last night, a hacker exploited an external solver and used it to drain the settlement contract, which held 7 days worth of protocol fees.
— CoW Swap | Better than the best prices (@CoWSwap) February 7, 2023
Users are not affected since we never hold user funds (!)
Neither Cow Swap is affected: The solver's bond will pay for all damages.
A ????????
According to CoW, the hacker added themselves to the solver competition, which is regularly organized by the protocol to find the best execution route for users. Solvers have access to the settlement contract & its fees but are only added after setting up a bonding pool.
“Potential damages are capped at the weekly revenue of the protocol + are protected by the solver bonding pools.” wrote CoW Swap. “We apologize for the early morning scare, it was a good stress test for CoW Swap.”
CoW later posted an update stating that the solver that was hacked had refunded the losses.
Update on today's solver hack:
— CoW Swap | Better than the best prices (@CoWSwap) February 7, 2023
The barter solver who got hacked today already refunded the losses it caused: https://t.co/nbLl45ZbIM
Next steps for CoW DAO are to decide on the slashing process and to judge whether the Barter Solver can be re-added to the solver competition.