CoW (Coincidence of Wants) Protocol , the decentralized finance platform over which CoW Swap is built, has suffered from a multisig attack on its settlement smart contract.
The threat disclosure was first released by MevRefund, a blockchain security researcher and whitehat hacker.
@CoWSwap your funds appear to be moooving away …https://t.co/li1NkXNeUp
— MevRefund (@MevRefund) February 7, 2023
Blockchain security auditing firm PeckShield later confirmed the exploit, publicizing the disclosure on Twitter.
It seems (1) @CoWSwap’s GPv2Settlement contract has been tricked 10 days ago to approve SwapGuard for DAI spending and (2) SwapGuard was just triggered to transfer out DAI from GPv2Settlement. Here are the two related txs: https://t.co/Tb8Sk5xqMR and https://t.co/JS7ejDhiAs https://t.co/Wpbeq4UoEP pic.twitter.com/oRWIzeOLzz
— PeckShield Inc. (@peckshield) February 7, 2023
Further details into the exploit were explained by BlockSec, a smart contract auditing firm. According to BlockSec, the threat actor’s wallet address was added as a “solver” of CoW Swap via a multisig.
A multisig is a type of crypto-security measure in which more than one party’s cryptographic signature is required to approve a transaction. The attacker then used this access to trigger the settlement smart contract and drain 550 BNB into Tornado Cash, a crypto anonymity funnel that enables users to mask transactions, making it harder for anyone else to trace them.
The threat actor’s address later invoked the transaction in order to approve DAI towards SwapGuard, prompting SwapGuard to transfer DAI from CoW’s Swap settlement contract to a number of different addresses.
While CoW Swap has not yet released an official statement on the matter, the protocol’s developers claim that they are already working to the vulnerability. The protocol also said that the settlement contract of the exploit can only access the fees that have been collected by the protocol within a week’s time, with user funds secure, given how these can only be signed through an order executed by a user. CoW Swap’s team reassured users that their accounts would remain unaffected by the exploit, adding that they were not required to revoke any prior approvals.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.