Recently, security firm PeckShield alerted that an exploiter drained over $180K worth of assets from CoW Swap DEX and transferred them to Tornado Cash.
The decentralized finance (DeFi) industry has been growing rapidly in recent years, with millions of dollars being invested in various DeFi protocols. Despite this rapid growth, the DeFi sector is still relatively new and is facing numerous challenges, one of which is the threat of exploits. According to the latest report, CoW Swap, a decentralized exchange (DEX) built on Binance Smart Chain, experienced a significant exploit today, resulting in a loss of $180K from its contract address.
CoW Swap Becomes The Latest Victim Of DeFi Exploit 2023
CoW Swap is the trailblazer in trading interfaces built on the CoW Protocol. CoW Swap is more than just a typical Meta DEX aggregator; it’s a game-changer. With its innovative technology, users can buy and sell tokens without the hassle of gas fees. All transactions are settled directly between peers or can be executed into any on-chain liquidity source, providing an extra layer of protection against MEV attacks.
However, the DEX has been recently exploited despite providing an enhanced encrypted layer. According to an on-chain security firm, PeckShield, the hacker successfully drained roughly 551 BNB from CoW Swap into Tornado Cash, which was valued around $181,600 at the time of writing. MevRefund, the sharp-eyed blockchain surveyor, noticed suspicious activity and sounded the alarm. The MEV searcher carefully tracked the movement of funds and found that they were moving away from CoW Swap. In a swift and diligent response, MevRefund warned the DEX and its users through a series of tweets, keeping everyone informed and protected against potential exploitation.
Hacker Triggers SwapGuard To Transfer DAI
Smart contract auditing firm BlockSec tracked a wallet address that was added as a solver of CoW Swap by a multisig. The daring attacker has struck CoWSwap and made off with a hefty sum. It seems that the attacker was able to outsmart CoWSwap’s GPv2Settlement contract by tricking it into approving SwapGuard for DAI spending. Then, like a thief in the night, the attacker triggered SwapGuard to transfer DAI from GPv2Settlement as SwapGuard allows anyone to make any function calls they please. The total amount exploited was a staggering $180,000: $123,000 in DAI, $50,000 in BNB, and $7,400 in ETH were moved using two wallets.
As news of the attack on CoWSwap spread, some members were quick to call for action, urging users to revoke approvals from the DEX. However, the decentralized finance (DeFi) experts at CoWSwap say there’s no need to hit the panic button. They assure everyone that everything is under control and revoking approvals is unnecessary. The DEX stated, “We are aware of an issue that has impacted the fees that CoW Protocol has collected over the past week. We have mitigated the issue and are conducting an investigation. Traders are in no way affected. More details to follow.”
Regarding revoking approvals, CoW Swap said, “Users don’t need to revoke approvals! The CoW Swap settlement contract only stores fees that the protocol accrued over the week. It cannot access user funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return.”
Hacks and threats may be looming in the world of DeFi, but the industry isn’t backing down. In fact, it’s thriving like never before, as a recent report from DappRadar shows that DeFi had a blazing start to 2023. The data indicates that protocols in the space saw massive growth in their total value locked in the month of January. Despite the challenges, DeFi is proving to be a force to be reckoned with, and it’s only just getting started.