CoW Swap, a decentralised exchange (DEX) protocol, has suffered a security breach resulting in the loss of at least 550 BNB. The funds were transferred from the protocol via an approved contract exploit.
Blockchain surveyor MevRefund detected the event and notified CoW Swap and its users via a Twitter thread. The transfer of funds was identified as the result of an exploit by the maximal extractable value searcher.
PeckShield, a blockchain security firm, estimated that around 551 BNB was lost, which was worth $181,600 at the time of writing. Following the theft of the assets, the hacker transferred the funds to the infamous crypto mixer Tornado Cash.
The attacker used CoWSwap’s GPv2Settlement contract and was duped into approving SwapGuard for DAI spending ten days ago. Following that, SwapGuard was used to transfer DAI from GPv2Settlement. According to reports, the SwapGuard function allows anyone to make arbitrary function calls. The current amount used exceeds $180,000.
The exploiter appears to have been active only a few hours ago. Some are also reporting that others are using the same exploit, competing for the few funds that remain. CoW Swap has yet to release an official statement regarding the incident.
According to CoW Swap, the exploited settlement contract has access to only the fees collected by the protocol in a week. The team stated that it is unable to access user funds without an order directly signed by users. In an official Twitter announcement, the DEX team explained their full analysis of what happened.
CoW Swap is a new DEX that uses “Coincidence of Wants” as part of its order matching and execution method. To execute orders, it combines on-chain and off-chain transactions.
Last year, the platform made headlines when it announced the COW token airdrop. The associated Gnosis chain and token benefited as well, with the GNO token rising by more than 50% following the announcement.
The incident is yet another in the DeFi space, which is a popular target for attackers. In 2022, billions of dollars were stolen from the DeFi market, and several incidents have already occurred in 2023.