Verify a decision

{"actor":"system:backfill","investigation_id":"99a79ffe-a739-45dd-9f2c-24975a8e2f06","kind":"publish","page_slug":"cow-swap-cow-protocol","published_at":"2026-05-31T07:10:29.402Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"CoW Swap (CoW Protocol)","sections":[{"content":"CoW Protocol (Coincidence of Wants Protocol) is an intent-based DEX aggregator that routes trades through a batch-auction mechanism on Ethereum and other EVM-compatible chains. Rather than executing trades against liquidity pools directly, users submit signed trade intents, and third-party 'solvers' compete in a batch auction to settle them optimally. When two users' intents match exactly (a coincidence of wants), the protocol routes them peer-to-peer, bypassing automated market maker fees entirely. The protocol originated as Gnosis Protocol V1, launched in April 2020 under Gnosis. In early 2022, it was rebranded to CoW Protocol and spun out into an independent CoW DAO with its own COW governance token after passing governance proposal GIP-13. The project raised $23 million in March 2022 — $15 million from institutional investors including Blockchain Capital, Cherry Ventures, 1kx, Delphi Ventures, Dialectic, Robot Ventures, and others, with the remainder raised from approximately 5,000 community members. By 2026, CoW Swap was among the top five DEXs by volume on Ethereum and had processed over $80 billion in cumulative trading volume. The COW token (ERC-20, contract address 0xDEf1CA1fb7FBcDC777520aa7f396b4E015F497aB on Ethereum mainnet) has a total supply of 1 billion, with up to 3% additional annual minting permitted by the DAO.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"CoW Protocol raises $23 million and spins out from Gnosis DAO — The Block","type":"news_article","url":"https://www.theblock.co/linked/139692/cow-protocol-raises-23-million-and-spins-out-from-gnosis-dao"},{"credibility":1,"name":"CoW Protocol Documentation — docs.cow.fi","type":"official","url":"https://docs.cow.fi/cow-protocol"},{"credibility":1,"name":"CoW Protocol Token — docs.cow.fi","type":"official","url":"https://docs.cow.fi/governance/token"},{"credibility":1,"name":"GIP-13 Phase 2: CowDAO and COW Token — Gnosis Forum","type":"official","url":"https://forum.gnosis.io/t/gip-13-phase-2-cowdao-and-cow-token/2735"},{"credibility":2,"name":"What Is CoW Swap: Complete Intent-Based DEX Guide 2026 — DEXTools","type":"research","url":"https://www.dextools.io/tutorials/what-is-cow-swap-cow-protocol-intent-dex-guide-2026"}]},{"content":"On April 14, 2026, the cow.fi domain was subjected to a supply-chain attack at the domain registrar layer. According to post-incident reporting, attackers impersonated a senior CoW DAO contributor and submitted falsified identification documents to Traficom (Finland's Communications Regulatory Authority, which administers the .fi top-level domain registry). Traficom raised a dispute against CoW Protocol's registrar, Gandi SAS; when Gandi did not respond to the dispute within the required window, the attacker obtained administrative control of the domain. Attackers modified DNS A records to redirect traffic from cow.fi and swap.cow.fi to a malicious Cloudflare-hosted server running a pixel-perfect clone of the CoW Swap trading interface. The phishing interface employed a wallet-drainer script exploiting the ERC-20 Permit standard: users were presented with what appeared to be standard token approvals, but were actually signing ERC-2612 Permit messages that granted the attacker broad authority to transfer assets without additional on-chain approval transactions. Security firm Blockaid first detected the anomaly at approximately 14:54 UTC. The CoW Swap team detected the issue internally within 19 minutes of the attack commencing and issued a public warning via social media at approximately 15:41 UTC, advising users not to access swap.cow.fi. The team paused the CoW Protocol backend and APIs as a precaution and disabled swap endpoints for third-party integrators including Aave and Bitget Wallet. Emergency migration to a fallback domain, cow.finance, was completed in approximately 3.5 hours. The cow.fi domain was fully restored on April 15, 2026, approximately 26 hours after the hijack began, with RegistryLock enabled to prevent future unauthorized transfers. The CoW Protocol's on-chain smart contracts, backend API, solver network, and signing infrastructure were not compromised at any point. Total estimated user losses from the phishing frontend were approximately $1.2 million, including a single transaction in which one trader lost 219 ETH (approximately $750,000 at the time). The post-mortem report published by the team confirmed the attack was confined entirely to the domain registration supply chain layer.","heading":"April 2026 DNS Hijacking Incident","severity":"high","sources":[{"credibility":2,"name":"CoW Swap Pauses Protocol After DNS Hijacking Redirects Frontend to Malicious Site — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/cow-swap-pauses-protocol-after-dns-hijacking-redirects-frontend-to-malicious-site/"},{"credibility":2,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605371175"},{"credibility":1,"name":"Popular DeFi Platform CoW Swap Warns Users to Stay Away After Security Breach — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach"},{"credibility":2,"name":"CoW Swap Protocol Halts Services Following Major DNS Hijacking Incident — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/cow-swap-protocol-halts-services-following-major-dns-hijacking-incident/"},{"credibility":2,"name":"Domain hijack led to crypto heist — Domain Name Wire","type":"news_article","url":"https://domainnamewire.com/2026/04/17/domain-hijack-led-to-crypto-heist/"},{"credibility":2,"name":"CoW Swap Frontend Attack Explained: DNS Hijacking — KuCoin Blog","type":"news_article","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"},{"credibility":2,"name":"Hijacked Domains: How CoWSwap's $1.2M Supply Chain Attack Happened — MEXC News","type":"news_article","url":"https://www.mexc.co/news/1047776"},{"credibility":2,"name":"CoW Swap hit by DNS hijack, warns users to stay clear of site — Protos","type":"news_article","url":"https://protos.com/cow-swap-hit-by-dns-hijack-warns-users-to-stay-clear-of-site/"},{"credibility":2,"name":"CoW Swap Confirms $1M+ User Loss After cow.fi Domain Hijack — BingX News","type":"news_article","url":"https://bingx.com/en/flash-news/post/cow-swap-report-says-cow-fi-domain-hijack-redirected-swap-cow-fi-to-phishing-site-estimated-user-losses-m"}]},{"content":"Following the April 14, 2026 incident, CoW DAO launched a governance process to consider voluntary reimbursement of affected users. A draft proposal was posted to the CoW DAO governance forum and subsequently formalized as CIP-86 (Discretionary Grants Program for Victims of the cow.fi Domain Hijacking). CIP-86 passed via Snapshot vote on May 8, 2026, following community deliberation that refined eligibility criteria. The proposal allocated funds from the DAO's Legal Defense Reserve to cover up to 100% of assets lost, with total estimated losses of approximately $1.2 million in USDC. Eligible claimants were required to: have previously traded on CoW Swap or be funded by wallets that had done so; have signed the specific malicious drainer contract active during the attack; and submit verified identity (KYC) documentation. Claims funded by wallets using mixers, privacy tools, or sanctioned addresses were expressly excluded, as were losses involving exposed seed phrases or private keys. The claims window closed May 14, 2026, with a review and KYC verification period running May 14–21, after which treasury payouts began. The DAO explicitly framed the grants as a voluntary, trust-building measure and stated the reimbursement was 'not an admission that the protocol itself was hacked.' Collected KYC data was to be destroyed within 30 days following payout.","heading":"Governance Response: CIP-86 Victim Reimbursement","severity":"medium","sources":[{"credibility":1,"name":"CIP-86: Discretionary Grants Program for Victims of the cow.fi Domain Hijacking — CoW DAO Forum","type":"official","url":"https://forum.cow.fi/t/cip-86-discretionary-grants-program-for-victims-of-the-cow-fi-domain-hijacking/3431"},{"credibility":2,"name":"CIP-86 Passed: CoW DAO Begins Compensation for April Attack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"}]},{"content":"Multiple independent sources confirmed throughout the April 2026 incident that CoW Protocol's on-chain smart contracts were never compromised. The core settlement contract (GPv2Settlement, deployed at 0x9008D19f58AAbD9eD0D60971565AA8510560ab41 on Ethereum mainnet) and the solver network remained unaffected. The attack occurred entirely at the DNS and domain registration supply chain layer, not within the blockchain infrastructure. The COW token contract (0xDEf1CA1fb7FBcDC777520aa7f396b4E015F497aB) uses standard OpenZeppelin ERC-20 components. Following the incident, the team implemented RegistryLock on the cow.fi domain, a protection that had not previously been available through their DNS provider (Amazon Route 53) and requires multi-factor, multi-party verification for any future DNS changes. The team also signaled potential migration toward IPFS-based frontend delivery to reduce ongoing registrar dependency. No smart contract audits with specific findings have been independently verified through Tier 1 or Tier 2 sources in the preparation of this report; the project's GitHub (github.com/cowprotocol/contracts) maintains the contract source code publicly.","heading":"Smart Contract and Protocol Security","severity":"low","sources":[{"credibility":2,"name":"CoW Swap Halts Protocol After Website Compromise — Coinspeaker","type":"news_article","url":"https://www.coinspeaker.com/cow-swap-halts-protocol-website-compromise/"},{"credibility":1,"name":"CoW Protocol Smart Contracts — GitHub","type":"official","url":"https://github.com/cowprotocol/contracts"},{"credibility":1,"name":"CoW Protocol: GPv2Settlement — Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x9008d19f58aabd9ed0d60971565aa8510560ab41"}]},{"content":"No enforcement actions by the SEC, CFTC, DOJ, or other regulatory bodies against CoW Protocol, CoW DAO, or their operators have been identified through searches of publicly available records as of May 2026. CoW Protocol operates as a permissionless, decentralized protocol governed by CoW DAO; it does not maintain a traditional corporate structure subject to typical financial services licensing in most jurisdictions. The protocol does not provide custodial services. No sanctions violations, OFAC-listed addresses, or criminal proceedings associated with the protocol or its founders have been identified. The CIP-86 reimbursement process required KYC of claimants and excluded wallets associated with sanctioned addresses, reflecting awareness of applicable sanctions compliance considerations.","heading":"Regulatory and Legal Status","severity":"low","sources":[{"credibility":1,"name":"CIP-86 Proposal — CoW DAO Governance Forum","type":"official","url":"https://forum.cow.fi/t/cip-86-discretionary-grants-program-for-victims-of-the-cow-fi-domain-hijacking/3431"}]},{"content":"CoW Protocol is governed by CoW DAO, with a publicly named leadership team. Anna George serves as CEO and Co-Founder; she previously worked at Gnosis from November 2017 through January 2022 in business development and regional management roles before co-founding CoW Protocol. The DAO structure means major protocol changes, treasury allocations, and incident responses (such as CIP-86) are subject to community governance votes. The COW token confers governance rights including voting on protocol upgrades, fee parameters, solver whitelisting, and treasury allocations. The team is publicly identified, reducing anonymity-related risk signals. No adverse findings regarding the founders or core team have been identified through Tier 1 or Tier 2 sources.","heading":"Team and Governance","severity":"low","sources":[{"credibility":2,"name":"Anna George — CEO / Co-Founder at CoW — The Org","type":"other","url":"https://theorg.com/org/cow/org-chart/anna-george"},{"credibility":2,"name":"Anna George — CoW Protocol — LinkedIn","type":"other","url":"https://www.linkedin.com/in/annamgeorge/"},{"credibility":2,"name":"CowSwap CEO Anna George Explains MEV, Intent-Based Swaps — YouTube / Token Terminal","type":"other","url":"https://www.youtube.com/watch?v=AdJC7JOesYA"}]},{"content":"The April 2026 incident highlighted a class of attack that targets Web2 infrastructure (domain registrars, DNS records) rather than blockchain-layer security. This attack vector — social engineering of a domain registrar using forged identity documents — is not unique to CoW Protocol and represents a systemic risk across DeFi protocols that rely on traditional domain names for user-facing interfaces. The ERC-20 Permit standard exploitation used in the attack (generating Permit signatures that grant token transfer authority without separate approval transactions) is a documented vector across DeFi broadly. Security firm Blockaid's rapid detection of the anomaly (at approximately 14:54 UTC, approximately 19 minutes after attack commencement according to reporting) and the team's swift response are noted positively. Post-incident security enhancements including RegistryLock and potential IPFS-based frontend delivery address the specific vector exploited. Users interacting with any DeFi protocol via a browser-based frontend should be aware that DNS and registrar-layer attacks can occur independently of smart contract security, and should verify domain legitimacy through multiple channels before signing permit-type messages.","heading":"Frontend and Infrastructure Risk","severity":"medium","sources":[{"credibility":2,"name":"CoW Swap Frontend Attack Explained: DNS Hijacking — KuCoin Blog","type":"news_article","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"},{"credibility":2,"name":"Hijacked Domains: How CoWSwap's $1.2M Supply Chain Attack Happened — MEXC News","type":"news_article","url":"https://www.mexc.co/news/1047776"},{"credibility":2,"name":"CoW Swap Experienced DNS Hijacking — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/cow-swap-experienced-dns-hijacking/"}]}],"sources_used":[{"credibility":2,"name":"CoW Swap Pauses Protocol After DNS Hijacking Redirects Frontend to Malicious Site — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/cow-swap-pauses-protocol-after-dns-hijacking-redirects-frontend-to-malicious-site/"},{"credibility":2,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605371175"},{"credibility":1,"name":"Popular DeFi Platform CoW Swap Warns Users to Stay Away After Security Breach — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach"},{"credibility":2,"name":"CoW Swap Protocol Halts Services Following Major DNS Hijacking Incident — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/cow-swap-protocol-halts-services-following-major-dns-hijacking-incident/"},{"credibility":2,"name":"Domain hijack led to crypto heist — Domain Name Wire","type":"news_article","url":"https://domainnamewire.com/2026/04/17/domain-hijack-led-to-crypto-heist/"},{"credibility":2,"name":"CoW Swap Frontend Attack Explained: DNS Hijacking — KuCoin Blog","type":"news_article","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"},{"credibility":2,"name":"Hijacked Domains: How CoWSwap's $1.2M Supply Chain Attack Happened — MEXC News","type":"news_article","url":"https://www.mexc.co/news/1047776"},{"credibility":1,"name":"CIP-86: Discretionary Grants Program for Victims of the cow.fi Domain Hijacking — CoW DAO Forum","type":"official","url":"https://forum.cow.fi/t/cip-86-discretionary-grants-program-for-victims-of-the-cow-fi-domain-hijacking/3431"},{"credibility":2,"name":"CIP-86 Passed: CoW DAO Begins Compensation for April Attack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"},{"credibility":2,"name":"CoW Protocol raises $23 million and spins out from Gnosis DAO — The Block","type":"news_article","url":"https://www.theblock.co/linked/139692/cow-protocol-raises-23-million-and-spins-out-from-gnosis-dao"},{"credibility":1,"name":"CoW Protocol Documentation — docs.cow.fi","type":"official","url":"https://docs.cow.fi/cow-protocol"},{"credibility":1,"name":"GIP-13 Phase 2: CowDAO and COW Token — Gnosis Forum","type":"official","url":"https://forum.gnosis.io/t/gip-13-phase-2-cowdao-and-cow-token/2735"},{"credibility":1,"name":"CoW Protocol Smart Contracts — GitHub","type":"official","url":"https://github.com/cowprotocol/contracts"},{"credibility":1,"name":"CoW Protocol Token (COW) — Etherscan","type":"on_chain","url":"https://etherscan.io/token/0xDEf1CA1fb7FBcDC777520aa7f396b4E015F497aB"},{"credibility":2,"name":"CoW Swap hit by DNS hijack, warns users to stay clear of site — Protos","type":"news_article","url":"https://protos.com/cow-swap-hit-by-dns-hijack-warns-users-to-stay-clear-of-site/"},{"credibility":2,"name":"CoW Swap Experienced DNS Hijacking — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/cow-swap-experienced-dns-hijacking/"},{"credibility":2,"name":"CoW Swap Halts Protocol After Website Compromise — Coinspeaker","type":"news_article","url":"https://www.coinspeaker.com/cow-swap-halts-protocol-website-compromise/"},{"credibility":2,"name":"Anna George — CoW Protocol — LinkedIn","type":"other","url":"https://www.linkedin.com/in/annamgeorge/"}],"summary":"CoW Protocol is an intent-based decentralized exchange (DEX) aggregator and batch-auction settlement system originally launched from Gnosis Protocol, spun out in 2022 with a $23 million raise and its own COW governance token. The protocol's smart contracts and backend infrastructure have not been compromised. However, on April 14, 2026, attackers used social engineering and forged identification documents to hijack the cow.fi domain at the registrar level (Gandi SAS / Traficom), redirecting users to a pixel-perfect phishing site for approximately 4.5 hours and causing an estimated $1.2 million in user losses. CoW DAO responded by passing governance proposal CIP-86 to voluntarily reimburse victims, positioning this incident as a supply-chain/frontend attack rather than a protocol exploit.","timeline":[{"date":"2020-04-01","event":"Gnosis Protocol V1 launches, the precursor to CoW Protocol, introducing batch auction-based token trading.","source":"DEXTools — What Is CoW Swap Guide 2026","source_url":"https://www.dextools.io/tutorials/what-is-cow-swap-cow-protocol-intent-dex-guide-2026"},{"date":"2022-01-01","event":"GIP-13 proposal submitted to Gnosis DAO to spin out CoW Protocol as an independent DAO with its own COW governance token.","source":"GIP-13 Phase 2: CowDAO and COW Token — Gnosis Forum","source_url":"https://forum.gnosis.io/t/gip-13-phase-2-cowdao-and-cow-token/2735"},{"date":"2022-03-30","event":"CoW Protocol raises $23 million — $15 million from institutional investors (Blockchain Capital, Cherry Ventures, 1kx, Delphi Ventures, others) plus community funding — and officially spins out from Gnosis DAO.","source":"CoW Protocol raises $23 million and spins out from Gnosis DAO — The Block","source_url":"https://www.theblock.co/linked/139692/cow-protocol-raises-23-million-and-spins-out-from-gnosis-dao"},{"date":"2026-04-14","event":"DNS hijacking attack begins at approximately 14:54 UTC. Attackers using forged identity documents and social engineering gain control of the cow.fi domain via registrar Gandi SAS / Traficom (.fi TLD registry), redirecting cow.fi and swap.cow.fi to a phishing clone.","source":"CoW Swap Publishes Post-Mortem on Domain Hijack — Bitget News","source_url":"https://www.bitget.com/news/detail/12560605371175"},{"date":"2026-04-14","event":"Security firm Blockaid detects the frontend anomaly approximately 19 minutes after attack commencement. CoW DAO issues public X/Twitter warning at approximately 15:41 UTC, advises users not to use swap.cow.fi, and pauses backend and APIs.","source":"CoW Swap hit by DNS hijack — Protos","source_url":"https://protos.com/cow-swap-hit-by-dns-hijack-warns-users-to-stay-clear-of-site/"},{"date":"2026-04-14","event":"Emergency migration to fallback domain cow.finance completed in approximately 3.5 hours. Estimated $1.2 million in user losses, including 219 ETH (~$750,000) drained from a single wallet via ERC-20 Permit signature exploitation.","source":"CoW Swap Frontend Attack Explained — KuCoin Blog","source_url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"},{"date":"2026-04-15","event":"cow.fi domain fully recovered and restored with RegistryLock enabled, approximately 26 hours after the hijack commenced. Smart contracts confirmed uncompromised throughout.","source":"Domain hijack led to crypto heist — Domain Name Wire","source_url":"https://domainnamewire.com/2026/04/17/domain-hijack-led-to-crypto-heist/"},{"date":"2026-05-08","event":"CoW DAO passes governance proposal CIP-86 via Snapshot vote, approving a discretionary grants program to voluntarily reimburse victims of the April 14 DNS hijacking attack, with claims funded from the DAO's Legal Defense Reserve.","source":"CIP-86 Passed: CoW DAO Begins Compensation for April Attack — Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"},{"date":"2026-05-14","event":"Claims deadline for CIP-86 victim reimbursement program. Eligible users required to submit wallet address, transaction hashes, asset list, and full name to help@cow.fi.","source":"CIP-86 Discretionary Grants Program — CoW DAO Forum","source_url":"https://forum.cow.fi/t/cip-86-discretionary-grants-program-for-victims-of-the-cow-fi-domain-hijacking/3431"},{"date":"2026-05-21","event":"CoW DAO treasury begins issuing CIP-86 reimbursement grants to verified victims following KYC review period.","source":"CIP-86 Discretionary Grants Program — CoW DAO Forum","source_url":"https://forum.cow.fi/t/cip-86-discretionary-grants-program-for-victims-of-the-cow-fi-domain-hijacking/3431"}]},"v":1}