CoW Swap Suffers Smart Contract Exploit, Resulting in an Approximately $166K Loss

February 7, 2023

Summary #

On February 7, 2023, CoW Swap, a decentralized exchange (DEX) protocol, fell victim to a smart contract exploit, resulting in a loss of approximately 550 BNB, or about $180,000 USD. The breach occurred due to a flaw in the protocol’s smart contract, which allowed an unidentified attacker to approve fund transfers from the protocol.

Attackers #

The identity of the attacker is unknown.

Losses #

$166,183

Timeline #

January 27, 2023: Barter Solver enters the CoW Swap solver competition. After being allowlisted, they approved their SwapGuard contract.
February 7, 2023: Attackers exploit a vulnerability in the SwapGuard contract to transfer funds from the CoW Swap’s settlement contract to their accounts.
February 7, 2023: CoW Swap and Barter teams mitigate further damage by identifying the vulnerability, revoking all approvals for the vulnerable contract, and updating the Barter Solver contract.
February 8, 2023: Barter Solver refunds the losses caused by the hack.

Source - CoW Swap forum

Security Failure Causes #

A couple of reasons, according to the CoW Swap report:

Arbitrary Execution: The SwapGuard contract, developed by the Barter Solver had a critical flaw. It allowed arbitrary execution of calls, a feature that the attackers exploited to drain tokens.
Unrestricted Approvals: The Barter Solver approved the vulnerable SwapGuard contract with a maximum value of DAI, without adequately securing the contract against potential exploits.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam