Decentralized exchange aggregator CoW Swap suffered a major hack, with the attacker making off with over $180,000 in funds, according to security firms PeckShield and BlockSec.
As a decentralized exchange (DEX) aggregator, CoW Swap’s goal is to provide users with the best prices across decentralized exchanges. However, a hacker targeted its trade settlement smart contract, GPv2Settlement, to drain funds.
PeckShield estimated that the attacker drained roughly $180,000 worth of DAI from CoW Swap before routing the funds through Tornado Cash to obtain 551 BNB. The attack targeted the GPv2Settlement, a trade settlement smart contract that is part of the CoW Swap alpha (GPv2) protocol.
It appears that the attacker tricked the owner of the GPv2Settlement contract into approving the use of the SwapGuard, which is normally not permitted.
According to PeckShield, SwapGuard is a second contract used by CoW Swap to assist and validate swap results. This approval may have contributed to the success of the attack, as SwapGuard allows arbitrary function calls. In the context of smart contracts, arbitrary function calls allow anyone with access to the contract to execute any function within its code.
A BlockSec spokesperson told The Block that there is a function in the contract SwapGuard that can transfer money to any address. The attacker invoked the public function to transfer the DAI into their address.
The CoW Swap team said that the settlement contract that was exploited only has access to the fees collected by the protocol in a week and that the hacker was unable to directly access user funds.
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://www.theblock.co/post/209187/dex-aggregator-cow-swap-falls-victim-to-180000-hack?utm_source=rss&utm_medium=rss