Users urged to stay away as attackers target frontend CoW swap, Ethereum’s decentralized exchange aggregator, was forced to pause operations after attackers hijacked its main website domain in a classic DNS attack.
The incident compromised the domain swap.cow.fi. Visitors were redirected to a malicious phishing site that mimicked the legitimate interface, tricking users into signing malicious token approvals that drained their wallets.
Security firm raises alarm
On-chain security firm Blockaid raised the first alarm, flagging the frontend as malicious and warning anyone who had connected a wallet to revoke approvals immediately and avoid all interactions.
CoW DAO, the project’s governing body, soon confirmed the DNS hijacking in posts on X, stating that while the core protocol’s smart contracts remained untouched, the team had temporarily paused the backend and APIs as a precaution.
The team said they were actively working to resolve the situation and advised users to refrain from using swap.cow.fi until it was confirmed safe.
The attack shows a stubborn vulnerability in DeFi: even when smart contracts are secure, users still interact with the protocol through web frontends, and those remain prime targets for attackers.
Users report losses
Early reports of losses quickly surfaced. Some users in CoW Swap’s official Discord claimed significant hits, with one trader saying they lost over $50,000 and were left with nothing. Cybersecurity researcher Vladimir S. estimated that around $500,000 had been drained from a handful of addresses so far, though other observers suggested the total could be higher.
A pseudonymous CoW Swap team member known as MooKeeper said the team is actively investigating and verifying reports. They noted evidence of a small number of users signing malicious approvals, often for seemingly tiny amounts that later enabled larger drains. A fuller picture of the damage is expected later this week.
What Is CoW Swap?
CoW Swap stands for Coincidence of Wants. It’s a DEX aggregator that doesn’t just route trades through a single venue; it sources liquidity across multiple platforms and uses a network of competing solvers to find the best possible execution. The design aims to reduce slippage, protect users from MEV (maximal extractable value) attacks, and even enable direct peer-to-peer trades when possible.
CoW swap is integrated into major DeFi tools, including the Safe wallet and the lending protocol Aave. In the past 30 days alone, it handled roughly $3.5 billion in volume and has generated about $50 million in lifetime fees.
Frontend remains the weakest link
DNS hijacks like this one are not new in DeFi. Curve Finance suffered a similar attack last year, with the 2022 incident costing users around $570,000. More recent frontend compromises have hit projects like HypurrFi and BONKfun, reminding everyone that the web layer remains the weakest link for otherwise decentralized protocols.
The team was still working to regain full control of the domain. Some reports mentioned the launch of a temporary alternative interface while the main domain remains locked.
In the meantime, the message from CoW DAO is simple and direct: stay away from the site until further notice, and if you interacted with it yesterday, revoke your approvals right away. This event is another reminder that in crypto, protecting the front end is just as important as auditing the smart contracts.
