CoW Swap Protocol Exploit Drains 550 BNB

Published on:

CoW (Coincidence of Wants) Protocol , the decentralized finance platform over which CoW Swap is built, has suffered from a multisig attack on its settlement smart contract.

The threat disclosure was first released by MevRefund, a blockchain security researcher and whitehat hacker.

Blockchain security auditing firm PeckShield later confirmed the exploit, publicizing the disclosure on Twitter.

Further details into the exploit were explained by BlockSec, a smart contract auditing firm. According to BlockSec, the threat actor’s wallet address was added as a “solver” of CoW Swap via a multisig.

A multisig is a type of crypto-security measure in which more than one party’s cryptographic signature is required to approve a transaction. The attacker then used this access to trigger the settlement smart contract and drain 550 BNB into Tornado Cash, a crypto anonymity funnel that enables users to mask transactions, making it harder for anyone else to trace them.

The threat actor’s address later invoked the transaction in order to approve DAI towards SwapGuard, prompting SwapGuard to transfer DAI from CoW’s Swap settlement contract to a number of different addresses.

While CoW Swap has not yet released an official statement on the matter, the protocol’s developers claim that they are already working to the vulnerability. The protocol also said that the settlement contract of the exploit can only access the fees that have been collected by the protocol within a week’s time, with user funds secure, given how these can only be signed through an order executed by a user. CoW Swap’s team reassured users that their accounts would remain unaffected by the exploit, adding that they were not required to revoke any prior approvals.

Read more:  Coinbase's second quarter revenues exceeded expectations!

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.