CoW Swap said it suffered no loss – despite $166k exploit

Decentralized change (DEX) protocol CoW Swap confirmed that it was exploited for $166,000 by a hacker who drained a settlement contract containing its protocol charges.

In the meantime, blockchain analytical agency Nansen reported that the exploiter stole roughly $180,000 — the funds had been consolidated in two wallets containing a minimum of $123,000 DAI, $50,000 BNB and $7,400 ETH.

The exploit was first spotted by blockchain surveyor MevRefund.

CoW Swap particulars exploit

The decentralized change said an exterior occasion that had entry to its settlement contract had set approval to a “unhealthy contract” 10 days in the past.

The hacker exploited this approval because the unhealthy contract allowed anybody to switch from the settlement contract.

Blockchain safety agency PeckShield corroborated CoW Swap’s clarification. The DEX GPv2Settlement contract was tricked ten days in the past to approve SwapGuard for DAI spending, based on the agency.

The exploiter later triggered SwapGuard to switch the DAI from the GPv2Settlement contract. By this compromise, anybody might challenge an arbitrary name on the contract.

CoW Swap stated it suffered no loss

Regardless of the $166,000 exploit, CoW Swap stated it’s not struggling any losses as its solver’s bond can pay for all damages.

“Potential damages are capped on the weekly income of the protocol + are protected by the solver bonding swimming pools.”

The DEX added that none of its customers’ funds had been impacted as a result of it doesn’t maintain their funds.

The protocol stated all of the approvals for the unhealthy contract had been revoked, including that no extra malicious actions had been attainable.

Customers don’t must revoke approvals because the hacker “can not entry person funds instantly with out offering an order signed by the person and giving them a minimum of their limit-buy quantity in return,” CoW Swap added.