Sunday , December 22 2024
Home / Blockchain / DeFi Platform CoW Protocol Loses Over 550 BNB in Contract Exploit

DeFi Platform CoW Protocol Loses Over 550 BNB in Contract Exploit

Summary:
Decentralized finance (DeFi) protocol CoW Swap has suffered a smart contract exploit, leading to the loss of approximately 551 BNB (1,600). According to reports, the attacker added a wallet address as a “solver” of CoW Swap and invoked a transaction to approve DAI transfers to SwapGuard before moving the assets to other addresses. A Settlement Contract Exploit Blockchain surveyor MevRefund first noticed the attack in the early hours of today. The maximal extractable value (MEV) searcher tweeted that CoW Swap’s funds were being moved, adding that the protocol’s SwapGuard feature had been granted allowance and allowed anyone to make “arbitrary function calls.” Within an hour, blockchain security firm PeckShield revealed that CoW Swap’s GPv2Settlement contract was tricked

Topics:
Mandy Williams considers the following as important: , ,

This could be interesting, too:

Wayne Jones writes Argentina’s Mining Sector Pioneers Lithium Tokenization by Tapping Cardano

Wayne Jones writes Chinese Auto Dealer Dives Into Bitcoin Mining With 6M Investment

Wayne Jones writes Nigeria Arrests 792 in Landmark Crypto-Romance Scam Raid

Wayne Jones writes NFT Gaming Project CyberKongz Receives Wells Notice from SEC

Decentralized finance (DeFi) protocol CoW Swap has suffered a smart contract exploit, leading to the loss of approximately 551 BNB ($181,600).

According to reports, the attacker added a wallet address as a “solver” of CoW Swap and invoked a transaction to approve DAI transfers to SwapGuard before moving the assets to other addresses.

A Settlement Contract Exploit

Blockchain surveyor MevRefund first noticed the attack in the early hours of today. The maximal extractable value (MEV) searcher tweeted that CoW Swap’s funds were being moved, adding that the protocol’s SwapGuard feature had been granted allowance and allowed anyone to make “arbitrary function calls.”

Within an hour, blockchain security firm PeckShield revealed that CoW Swap’s GPv2Settlement contract was tricked ten days ago, approving SwapGuard for DAI spending.

At the time of the exploit, the attacker just triggered the SwapGuard to transfer DAI out of the GPv2Settlement contract.

In a more detailed explanation, blockchain security platform BlockSec disclosed that the attacker had added a wallet address as a solver of the protocol by the multi-sig, hence, the ability to approve the transactions. Since the DAI transfer was approved from the settlement contract, the exploiter could also approve transfers to arbitrary addresses.

“A lesson learned. A contract with the interface of arbitrary call should not have any allowance, 0x55a37a2e5e5973510ac9d9c723aec213fa161919 made the mistake and approved the maximum value of DAI to SwapGuard, which is the root cause of the attack,” BlockSec said.

Over $181k Moved to Tornado Cash

Tokens transferred to the exploiter’s address include BNB, USDT, USDC, and ETH. So far, roughly 551 BNB worth over $181,000 has been moved to the OFAC-sanctioned crypto mixer Tornado Cash.

CoW Swap urged users not to worry, as the stolen funds were CoW Protocol’s accumulated fees from the past week. The platform said the issue has been mitigated and is currently under investigation.

CoW Protocol is the latest DeFi platform to suffer at the hands of daring hackers this month. CryptoPotato reported last week that Orion Protocol and BonqDAO were hacked, leading to the loss of $3 million and $10 million, respectively.

You Might Also Like:

Leave a Reply

Your email address will not be published. Required fields are marked *