CoW Swap Suffers Smart Contract Exploit, Resulting in an Approximately $166K Loss

Summary

On February 7, 2023, CoW Swap, a decentralized exchange (DEX) protocol, fell victim to a smart contract exploit, resulting in a loss of approximately 550 BNB, or about $180,000 USD. The breach occurred due to a flaw in the protocol’s smart contract, which allowed an unidentified attacker to approve fund transfers from the protocol.

Attackers

The identity of the attacker is unknown.

Losses

  • $166,183

Timeline

  • January 27, 2023: Barter Solver enters the CoW Swap solver competition. After being allowlisted, they approved their SwapGuard contract.
  • February 7, 2023: Attackers exploit a vulnerability in the SwapGuard contract to transfer funds from the CoW Swap’s settlement contract to their accounts.
  • February 7, 2023: CoW Swap and Barter teams mitigate further damage by identifying the vulnerability, revoking all approvals for the vulnerable contract, and updating the Barter Solver contract.
  • February 8, 2023: Barter Solver refunds the losses caused by the hack.

Source - CoW Swap forum

Security Failure Causes

A couple of reasons, according to the CoW Swap report:

  • Arbitrary Execution: The SwapGuard contract, developed by the Barter Solver had a critical flaw. It allowed arbitrary execution of calls, a feature that the attackers exploited to drain tokens.
  • Unrestricted Approvals: The Barter Solver approved the vulnerable SwapGuard contract with a maximum value of DAI, without adequately securing the contract against potential exploits.