CoW Swap Pauses After Website Compromise

The CoW Swap front-end attack on April 14 blindsided one of Ethereum's most-used DeFi exchange aggregators, forcing the team to pull the plug on the entire protocol while bad actors redirected users to a malicious clone site. Smart contracts stayed clean. Wallets did not.

What Actually Happened in the CoW Swap Front-End Attack?

Attackers seized control of CoW Swap's website domain — the URL users type into their browser to reach the exchange — and pointed it toward a lookalike site designed to steal funds. The exploit is a classic DNS hijack: no smart contract vulnerability, no private key leak, just a compromised domain registrar that redirected traffic. When users visited the site and approved token interactions, they were unknowingly signing off on malicious transfers that drained their wallets.

The CoW Swap front-end attack was first flagged on Tuesday, April 14, with the team posting a public warning urging users to stay off the platform entirely. The project's Discord server lit up with loss reports almost immediately. Three hours after the disclosure, the protocol remained frozen — a precautionary shutdown while the team scrambled to reclaim the domain and audit the damage.

The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.

How Much Was Lost — and Who Got Hit?

The full damage figure remained murky for hours. A pseudonymous team member known as MooKeeper said investigations were ongoing and that a formal assessment would follow within a day or two. The cautious framing was understandable — these things are notoriously hard to triage in real time. What was clearer: CoW Protocol confirmed that "a small number of users signed malicious approvals for very small amounts," suggesting the attack window was narrower than it first appeared.

Cybersecurity researcher Vladimir S. put a harder number on it, estimating around $500,000 drained from a handful of wallet addresses. Martin Köppelmann, co-founder and CEO of Gnosis, weighed in as well — he noted the blast radius looks limited to users who approved CoW Swap interactions within the few hours before the shutdown. If you hadn't touched the protocol that afternoon, you were likely fine.

I don't know what to do anymore. I have no money at all.

DNS Hijacks in DeFi: A Pattern That Won't Go Away

This isn't a new attack vector — and that's the part that should sting. DNS hijacks targeting DeFi front ends have been a known threat for years. Curve Finance was hit twice: the first attack in 2022 cost users $570,000, and a second DNS hijack followed last year. The playbook is identical every time — compromise the domain, spin up a fake front end, harvest approvals from users who have no reason to suspect anything is wrong.

The brutal irony for CoW Swap is that its underlying CoW Swap smart contracts held up perfectly. The protocol's signature batch auction mechanism, designed to protect users from MEV extraction, wasn't touched. The vulnerability wasn't in the code — it was in a DNS record. That's a server administration problem, not a DeFi problem. But users lost real money either way.

What makes CoW Swap a particularly high-profile target is its user base. Ethereum co-founder Vitalik Buterin has used the platform repeatedly this year to swap ETH for stablecoins, with on-chain data from Arkham Intelligence showing activity as recently as a week before the attack. He also used it in 2024 to sell a meme coin based on a baby pygmy hippo. When Buterin is a regular, you have name recognition — and name recognition attracts attackers.

What Should Affected Users Do Right Now?

The CoW team was direct: anyone who interacted with CoW Swap after 14:54 UTC on April 14 needs to revoke token approvals immediately. The team pointed users toward revoke tools — services like Revoke.cash let you see every active approval your wallet has granted and cancel the ones you don't recognize. It takes about three minutes and could save your remaining funds.

The deeper lesson here is one DeFi users keep learning the hard way: bookmark the official domain, never click links from Discord or Twitter, and check token approvals regularly even when nothing goes wrong. A clean smart contract is worthless if the front end you used to interact with it was serving malicious code. CoW Swap's backend survived intact — the users who got hit weren't done in by a protocol failure. They were phished, plain and simple.

We have evidence that a small number of users signed malicious approvals for very small amounts.