CoW Swap Hit by DNS Attack, Users Urged to Stay Away Amid Ongoing Exploit

CoW Swap paused its protocol on April 14 after attackers hijacked the DNS records of its frontend, redirecting users to a malicious site that drained at least US$1 million (AU$1.45 million) in crypto assets.

The exploit was detected at 14:54 UTC, with Cow DAO issuing a public warning at 15:41 UTC and confirming the DNS compromise at 16:24 UTC. The team halted the protocol shortly after, although backend systems and smart contracts were not directly affected.

The attack targeted the domain swap.cow.fi at the registrar level, redirecting traffic to a cloned interface designed to trick users into connecting wallets and approving transactions. CoW Swap operates as a non-custodial protocol, meaning funds remained in user wallets and no contract-level breach occurred.

On-chain data shows at least US$1 million (AU$1.45 million) was extracted within three hours. One flagged address alone received 219 ETH from a single wallet. The total impact remains uncertain, however.

Read more: Quantum Threat to Crypto? XRP Ledger Shows Surprising Resilience

Losses and User Response

Cow DAO instructed affected users at 16:33 UTC to revoke all token approvals using revoke.cash. 

Security firm Blockaid flagged the malicious domains, including swap.cow.fi and cow.fi, during the incident. The team continued monitoring activity until around 18:15 UTC and requested transaction hashes from potentially impacted users.

Similar exploits have affected platforms such as Curve Finance and Balancer.

CoW Swap, part of the Gnosis ecosystem, processes trades using batch auctions and “Coincidence of Wants” matching, a system that pairs users directly to reduce reliance on external liquidity and limit MEV (maximum extractable value). 

The protocol remained offline at the time of reporting, with no confirmed timeline for restoration or post-incident analysis released.

Read more: Aave DAO Approves $25M Grant Despite Internal Pushback