CoW Swap Suffers Smart Contract Exploit, Resulting in an Approximately $166K Loss

Summary

On February 7, 2023, CoW Swap, a decentralized exchange (DEX) protocol, fell victim to a smart contract exploit, resulting in a loss of approximately 550 BNB, or about $180,000 USD. The breach occurred due to a flaw in the protocol’s smart contract, which allowed an unidentified attacker to approve fund transfers from the protocol.

Attackers

The identity of the attacker is unknown.

• 0xc0e82c1ed4786f8b7f806d1b8a6335ec485266ff
• 0x55a37a2e5e5973510ac9d9c723aec213fa161919

Losses

• $166,183

Timeline

• January 27, 2023: Barter Solver enters the CoW Swap solver competition. After being allowlisted, they approved their SwapGuard contract.
• February 7, 2023: Attackers exploit a vulnerability in the SwapGuard contract to transfer funds from the CoW Swap’s settlement contract to their accounts.
• February 7, 2023: CoW Swap and Barter teams mitigate further damage by identifying the vulnerability, revoking all approvals for the vulnerable contract, and updating the Barter Solver contract.
• February 8, 2023: Barter Solver refunds the losses caused by the hack.

Source - CoW Swap forum

Security Failure Causes

A couple of reasons, according to the CoW Swap report:

• Arbitrary Execution: The SwapGuard contract, developed by the Barter Solver had a critical flaw. It allowed arbitrary execution of calls, a feature that the attackers exploited to drain tokens.
• Unrestricted Approvals: The Barter Solver approved the vulnerable SwapGuard contract with a maximum value of DAI, without adequately securing the contract against potential exploits.