Cow Swap, a DEX aggregation platform built on the Cow Protocol, confirmed on April 14 that its main frontend swap.cow.fi was subject to DNS hijacking. The attacker redirected users’ traffic to a spoofed website by tampering with DNS records, and deployed a wallet-draining procedure. Cow DAO then paused the protocol’s API and backend services, and users must immediately revoke the relevant approvals.
Complete Event Timeline
UTC 14:54:swap.cow.fi’s DNS records were tampered with, and the attacker began routing traffic to a spoofed trading interface
UTC 15:41:Cow DAO posted a public warning on the X platform, advising users to completely stop interacting with the website during the investigation
UTC 16:24:The official confirmed the DNS hijacking, clearly stating that neither the protocol backend nor the API itself was compromised; the service pause is a preventive measure
UTC 16:33:Cow DAO released specific guidance, requiring users who interacted with the impacted frontend after UTC 14:54 to immediately revoke approvals
UTC 18:15:The team continues monitoring and asks users involved in suspicious transactions to submit transaction hashes for review
As of the time of this report, the protocol is still paused. Cow DAO has not yet announced a full restoration of the service and has not published a complete post-incident analysis report.
How the DNS Hijacking Attack Works: Why DeFi Frontends Are Still a High-Risk Entry Point
DNS hijacking does not require compromising smart contract code. Instead, the attack targets the domain infrastructure layer. By tampering with the DNS records of the target domain, attackers redirect traffic to a spoofed server, and then deploy a wallet-draining program (Wallet Drainer) on the spoofed interface. Once a user connects their wallet or signs an approval on the spoofed interface, the malicious program triggers automatic transfers.
The technical entry point for this kind of attack is typically not in the protocol code, but at the domain service provider management level—including social engineering attacks against customer support personnel, using leaked two-factor authentication (2FA) credentials, or directly hacking into the domain management account. In recent months, multiple DeFi protocols have suffered similar frontend DNS attacks one after another.
Cow Protocol itself is a non-custodial protocol and does not hold any user funds. This risk is limited to users who proactively sign transactions using the compromised frontend. The community has reported scattered suspicious transactions, but as of now, there has been no confirmation of any systemic fund extraction that affects the entire protocol.
Immediate Action Checklist for Affected Users
If you visited swap.cow.fi or cow.fi after UTC 14:54, and connected your wallet or signed any transaction, you should immediately take the following steps:
Emergency Action Guide
Go to revoke.cash:Immediately revoke all relevant contract approvals granted after the above time points
Check your wallet transaction history:Confirm whether there were any unauthorized transfers or unusual approval actions
Stop visiting related domains:Until Cow DAO officially confirms that the “website is safe to use,” avoid visiting swap.cow.fi and cow.fi
Submit the transaction hash:If you find a suspicious transaction, submit the hash value according to Cow DAO’s instructions for a security review
Frequently Asked Questions
How did the DNS hijacking of Cow Protocol happen?
The attacker tampered with the DNS records of swap.cow.fi to redirect legitimate users’ traffic to a spoofed website that deployed a wallet-draining program. These attacks typically involve social engineering against customer support at the domain service provider, or using leaked domain management account 2FA credentials to carry them out, and they do not involve vulnerabilities in the protocol smart-contract layer.
Did this attack affect Cow Protocol’s smart contracts?
No. Cow DAO has confirmed clearly that the smart contracts and on-chain infrastructure were completely unaffected by this incident. The protocol backend and API were also not compromised. The service pause is purely a preventive measure intended to prevent more users from visiting the compromised frontend during the investigation.
How can I tell if I’m affected?
If you accessed swap.cow.fi or cow.fi after UTC 14:54 and connected your wallet, or signed any transaction, you face potential risk. Immediately go to revoke.cash to revoke approvals and carefully review your wallet’s recent transaction history. Keep an eye on Cow DAO’s official X account and wait for the official notice when the service is restored safely.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
CoW Swap Pauses Protocol After DNS Hijacking Drains at Least $1M in User Funds
CoW Swap suspended its protocol after DNS hijacking redirected users to a fraudulent site, resulting in over $1 million in crypto theft. The incident led to precautionary actions and user warnings, while security measures were implemented.
GateNews16m ago
Lattice Announces Shutdown: Redstone Will Close on May 16, Users Must Withdraw by the Deadline
Gaming infrastructure developer Lattice announced it will shut down on May 15 and reminded users to withdraw their funds. After the shutdown, contract funds cannot be withdrawn through L1 contracts; only funds in personal wallets can be recovered. Over the past five years, Lattice has failed to realize its business model and ultimately decided to close, but its MUD framework and DUST game will continue to run.
MarketWhisper1h ago
User Loses $316K USDC After Signing Malicious Permit2 Transaction, GoPlus Warns
A user lost $316,000 in USDC due to a malicious Permit2 transaction, highlighting vulnerabilities in token approval mechanisms. GoPlus Security urges users to avoid phishing by following key security practices and installing its protective extension.
GateNews2h ago
CoW Swap Issues Security Alert After Frontend Attack Detected by Blockaid
Blockaid has identified a frontend attack on CoW Swap, marking its domain as malicious. Users are advised to cease interactions, revoke wallet authorizations, and await further updates from the CoW Swap team.
GateNews9h ago
The Ethereum Foundation uses it too! The CoW Swap frontend was hacked, and DeFi leaders advise revoking approvals
The Ethereum DeFi platform CoW Swap experienced DNS hijacking on April 14, which may put users at risk of phishing. Although the protocol itself was not compromised, the risk of frontend attacks remains high. The industry recommends that users revoke approvals before taking any future actions. CoW Swap offers batch transaction functionality and protects against MEV attacks, and its security incident may affect the entire DeFi ecosystem.
ChainNewsAbmedia9h ago
