CoW Swap, a decentralized exchange (DEX) aggregator, recently suffered an attack resulting in a loss of at least 550 BNB worth over $180,000 due to a contract exploit that allowed unauthorized transfers of funds.
The event, which happened yesterday, was first flagged by blockchain surveyor MevRefund. The MEV searcher warned the users over a Twitter thread.
Smart contract auditor Blocksec reported that a multisig wallet address was added as a “solver” for CoW Swap. The address then activated a transaction to approve the transfer of DAI to SwapGuard, causing the latter to move the DAI from the CoW Swap settlement contract to other addresses.
“A lesson learned. A contract with the interface of arbitrary call should not have any allowance, 0x55a37a2e5e5973510ac9d9c723aec213fa161919 made the mistake and approved the maximum value of DAI to SwapGuard, which is the root cause of the attack,” wrote Blocksec.
According to blockchain security firm PeckShield, an estimated 551 BNB tokens were moved to crypto mixer Tornado Cash.
The CoW Swap team confirmed the hack, reporting that only the protocol fees of last 7 days were affected. All of the users’ funds were safe since the protocol never holds any user assets.
CoW also said that the protocol hasn’t suffered any losses because the solver’s bond will cover the damage.
According to CoW, the hacker added themselves to the solver competition, which is regularly organized by the protocol to find the best execution route for users. Solvers have access to the settlement contract & its fees but are only added after setting up a bonding pool.
“Potential damages are capped at the weekly revenue of the protocol + are protected by the solver bonding pools.” wrote CoW Swap. “We apologize for the early morning scare, it was a good stress test for CoW Swap.”
CoW later posted an update stating that the solver that was hacked had refunded the losses.