The decentralized finance (DeFi) protocol CoW Swap suffered a smart contract exploit, resulting in the loss of approximately 551 BNB ($181,600).
The attacker reportedly added a wallet address as a CoW Swap “resolver” and invoked a transaction to approve DAI transfers to SwapGuard before moving the assets to other addresses.
An Exploitation of the Settlement Contract
Blockchain surveyor MevRefund first noticed the attack in the early hours of today. The Maximum Extractable Value (MEV) Finder tweeted that the CoW Swap funds were being moved, adding that the protocol’s SwapGuard feature had been given an allowance and allowed anyone to make “arbitrary function calls.”
In an hour, blockchain security firm PeckShield revealed that the CoW Swap GPv2Settlement contract was cheated ten days ago, approving SwapGuard for DAI spending.
At the time of the exploit, the attacker simply enabled SwapGuard to transfer DAI out of the GPv2Settlement contract.
In further explanation, blockchain security platform BlockSec revealed that the attacker had added a wallet address as a protocol resolver for the multi-sig, hence the ability to approve transactions. Since the DAI transfer was approved from the settlement contract, the operator could also approve transfers to arbitrary addresses.
“A lesson learned. A contract with the arbitrary call interface should not have any grants, 0x55a37a2e5e5973510ac9d9c723aec213fa161919 failed and passed the maximum DAI value for SwapGuard, which is the root cause of the attack”, BlockSec saying.
Over $181k transferred to Tornado Cash
Tokens transferred to the exploiter address include BNB, USDT, USDC, and ETH. So far, approximately 551 BNB worth more than $181,000 have moved to OFAC-sanctioned crypto mixer Tornado Cash.
cow exchange urged users don’t worry as the stolen funds were CoW Protocol’s cumulative fees from last week. The platform said that the issue has been mitigated and is currently under investigation.
CoW Protocol is the latest DeFi platform to suffer at the hands of daring hackers this month. CryptoPotato reported last week that Orion Protocol and BonqDAO they were hacked, resulting in the loss of $3 million and $10 million, respectively.
Binance Free $100 (Exclusive) – Use this link to sign up to receive $100 free and 10% off your first month’s fees for Binance Futures (terms).
PrimeXBT Special Offer: Use this link to sign up and enter the code POTATO50 to receive up to $7,000 on your deposits.
