Decentralized exchange aggregator CoW Swap suffered a major hack, with the attacker making off with over $180,000 in funds, according to security firms PeckShield and BlockSec.
As a decentralized exchange (DEX) aggregator, CoW Swap's goal is to provide users with the best prices across decentralized exchanges. However, a hacker targeted its trade settlement smart contract, GPv2Settlement, to drain funds.
PeckShield estimated that the attacker drained roughly $180,000 worth of DAI from CoW Swap before routing the funds through Tornado Cash to obtain 551 BNB. The attack targeted the GPv2Settlement, a trade settlement smart contract that is part of the CoW Swap alpha (GPv2) protocol.
The CoW Swap team said that the settlement contract that was exploited only has access to the fees collected by the protocol in a week and that the hacker was unable to directly access user funds. The team clarified it experienced a security breach after the hacker exploited a solver account, a participant which competes to provide users with best trade prices .
CoW Swap is different from traditional decentralized exchanges (DEXs) because it doesn't require users to make trades themselves. Instead, users sign a trade agreement to exchange two tokens at a specific price, which is then given to third-party "solvers." Each solver has access to the settlement contract which usually stores collected fees over a one week period (before being used to reward solvers).
The recently added "barter solver" deployed an intermediate contract (for slippage protection) to which it gave unlimited DAI approval on behalf of the CoW Swap settlement contract. Due to a bug in their contract, it allowed anyone to invoke arbitrary calls on the intermediary contract, and thus transfer out the protocol’s internal DAI buffers using its allowance.
In response to the breach, CoW Swap immediately revoked all approvals for the barter solver, and thus, indirectly the affected intermediary contract, SwapGuard. The team further reassured users that their funds were never at risk since Cow Swap does not hold user funds. The solver's bond will pay for all damages incurred.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.