Decentralized exchange aggregator CoW Swap suffered a major hack, with the attacker making off with over $180,000 in funds, according to security firms PeckShield and BlockSec.
As a decentralized exchange (DEX) aggregator, CoW Swap’s goal is to provide users with the best prices across decentralized exchanges. However, a hacker targeted its trade settlement smart contract, GPv2Settlement, to drain funds.
PeckShield estimated that the attacker drained roughly $180,000 worth of DAI from CoW Swap before routing the funds through Tornado Cash to obtain 551 BNB. The attack targeted the GPv2Settlement, a trade settlement smart contract that is part of the CoW Swap alpha (GPv2) protocol.
It appears that the attacker tricked the owner of the GPv2Settlement contract into approving the use of the SwapGuard, which is normally not permitted. According to PeckShield, SwapGuard is a second contract used by CoW Swap to assist and validate swap results. This approval may have contributed to the success of the attack, as SwapGuard allows arbitrary function calls. In the context of smart contracts, arbitrary function calls allow anyone with access to the contract to execute any function within its code.
A BlockSec spokesperson told The Block that there is a function in the contract SwapGuard that can transfer money to any address. The attacker invoked the public function to transfer the DAI into their address.
The CoW Swap team said that the settlement contract that was exploited only has access to the fees collected by the protocol in a week and that the hacker was unable to directly access user funds. The team clarified it experienced a security breach after the hacker exploited a solver account, a participant which competes to provide users with best trade prices .
CoW Swap is different from traditional decentralized exchanges (DEXs) because it doesn’t require users to make trades themselves. Instead, users sign a trade agreement to exchange two tokens at a specific price, which is then given to third-party “solvers.” Each solver has access to the settlement contract which usually stores collected fees over a one week period (before being used to reward solvers).
In response to the breach, Cow Swap immediately revoked all approvals for the affected contract and upgraded to a new contract without arbitrary execution code functionality. The team further reassured users that their funds were never at risk since Cow Swap does not hold user funds. The solver’s bond will pay for all damages incurred.