DeFi Platform CoW Protocol Loses Over 550 BNB in Contract Exploit

Decentralized finance (DeFi) protocol CoW Swap has suffered a smart contract exploit, leading to the loss of approximately 551 BNB ($181,600).

According to reports, the attacker added a wallet address as a “solver” of CoW Swap and invoked a transaction to approve DAI transfers to SwapGuard before moving the assets to other addresses.

A Settlement Contract Exploit

Blockchain surveyor MevRefund first noticed the attack in the early hours of today. The maximal extractable value (MEV) searcher tweeted that CoW Swap’s funds were being moved, adding that the protocol’s SwapGuard feature had been granted allowance and allowed anyone to make “arbitrary function calls.”

Within an hour, blockchain security firm PeckShield revealed that CoW Swap’s GPv2Settlement contract was tricked ten days ago, approving SwapGuard for DAI spending.

At the time of the exploit, the attacker just triggered the SwapGuard to transfer DAI out of the GPv2Settlement contract.

In a more detailed explanation, blockchain security platform BlockSec disclosed that the attacker had added a wallet address as a solver of the protocol by the multi-sig, hence, the ability to approve the transactions. Since the DAI transfer was approved from the settlement contract, the exploiter could also approve transfers to arbitrary addresses.

“A lesson learned. A contract with the interface of arbitrary call should not have any allowance, 0x55a37a2e5e5973510ac9d9c723aec213fa161919 made the mistake and approved the maximum value of DAI to SwapGuard, which is the root cause of the attack,” BlockSec said.

Over $181k Moved to Tornado Cash

Tokens transferred to the exploiter’s address include BNB, USDT, USDC, and ETH. So far, roughly 551 BNB worth over $181,000 has been moved to the OFAC-sanctioned crypto mixer Tornado Cash.

CoW Swap urged users not to worry, as the stolen funds were CoW Protocol’s accumulated fees from the past week. The platform said the issue has been mitigated and is currently under investigation.

CoW Protocol is the latest DeFi platform to suffer at the hands of daring hackers this month. CryptoPotato reported last week that Orion Protocol and BonqDAO were hacked, leading to the loss of $3 million and $10 million, respectively.