• CoW Swap’s decentralized finance platform suffered from a multisig attack on its settlement smart contract.
• Blockchain security auditing firm PeckShield confirmed the exploit and further details were explained by BlockSec, a smart contract auditing firm.
• CoW Swap has not yet released an official statement, but they claim to be already working towards fixing the vulnerability.

CoW Swap Security Breach

A multisig attack was recently detected on CoW Swap’s settlement smart contract. MevRefund, a blockchain security researcher and whitehat hacker, was first to disclose this threat. Blockchain security auditing firm PeckShield later confirmed the exploit and provided more details into the breach.

Exploit Breakdown

The attacker added their wallet address as a “solver” of CoW Swap via a multisig which allowed them to trigger the settlement smart contract and drain 550 BNB into Tornado Cash, a crypto anonymity funnel that masks transactions. The threat actor then invoked a transaction in order to approve DAI towards SwapGuard which prompted it to transfer DAI from CoW’s Swap settlement contract to different addresses.

Official Statement From CoWSwap

CoWSwap has not yet released an official statement on the matter but they claim that they are already working towards fixing the vulnerability. They also reassured users that their accounts would remain unaffected by the exploit since these can only be signed through an order executed by a user.

Smart Contract Audit Recommendations

All organizations dealing with cryptocurrency should consider getting regular smart contract audits done in order to stay secure from such attacks in future. Smart contracts should also have measures such as multi-signature approvals for any major changes or transfers of funds built into them for better safety protocols.

Disclaimer

This article is provided for informational purposes only and is not offered or intended to be used as legal, tax, investment, financial or other advice.