Join Our Telegram channel to stay up to date on breaking news coverage
A hacker stole over $180,000 worth of cryptocurrency from the decentralized exchange, CoW Swap, in the latest DeFi exploit. The attacker targeted a smart contract in CoW Swap’s “solver competition” and drained a settlement contract holding seven days’ worth of protocol fees. The theft was confirmed by CoW Swap, but the team assured that neither the protocol nor its users suffered any loss. How exactly did the CoW Swap hack happen?
CoW Swap stated that no cryptocurrencies were stolen from the protocol or its users and that the solver’s bond would cover the damages, meaning the protocol didn’t suffer any direct loss from the exploit.
“Last night, a hacker exploited an external solver and used it to drain the settlement contract, which held 7 days worth of protocol fees. Users are not affected since we never hold user funds (!) Neither Cow Swap is affected: The solver’s bond will pay for all damages,” Tweeted CoW Swap on February 7.
Read this thread for more information on today's event 👉 https://t.co/biO6o7u0Zf
and this more detailed post mortem 👉 https://t.co/8wRqIJuWs5
— CoW DAO | MEV Blocker & CoW Swap (@CoWSwap) February 7, 2023
How the CoW Swap Happened
The attack, which was detected by blockchain investigator MevRefund saw the hacker exploit an external solver to drain the settlement contract containing the protocol fees, worth roughly $180,000.
CoW Swap revealed that an external solver was utilized by the hacker to empty crypto out their settlement contract, which held seven days’ worth of protocol charges. Nansen’s blockchain analysis firm calculated that approximately $180,000 had been stolen and placed into two wallets with $123,000 DAI, $50,00 BNB, and a further $7,400 ETH.
The block headline, "DEX aggregator CoW Swap falls victim to $180,000 hack", still suggests users funds were lost.
User funds were never at risk. Any chance we can get this title revised @lawmaster @fintechfrank for improved accuracy???
— Rafa 🐸⛽️ (@Grizzlyshort) February 7, 2023
CoW Swap engages in a “solver competition” where external parties compete for the best execution route for their users. The hacker entered the competition ten days ago and exploited the smart contract, allowing for transfers from the settlement contract.
The attacker then triggered the DEX GPv2Settlement contract to transfer DAI from the GPv2Settlement contract. CoW Swap stated that the approvals for the bad contract have been revoked.
Later in the day on February 7, CoW Swap sent out an update on the CoW Swap hack, saying, “The barter solver who got hacked today already refunded the losses it caused, and that the next steps were for the CoW DAO “to decide on the slashing process and to judge whether the Barter Solver can be re-added to the solver competition.”
Update on today's solver hack:
The barter solver who got hacked today already refunded the losses it caused: https://t.co/nbLl45ZbIM
Next steps for CoW DAO are to decide on the slashing process and to judge whether the Barter Solver can be re-added to the solver competition.
— CoW DAO | MEV Blocker & CoW Swap (@CoWSwap) February 7, 2023
Join Our Telegram channel to stay up to date on breaking news coverage