A hacker managed to exploit CoW Swap for approximately $166k. This has turned out to be a scare with little worry since Cow Swap has announced on Twitter that it has not been affected by the hack. The platform has announced to cover the damage through the bond of the Solver, who had earlier set up approval for a bad contract.
CoW Swap is a mechanism that saves the time and effort of the community by finding the lowest princess across different exchanges and aggregators. It functions on the principle of Coincidences of Wants, also known as CoWs, to protect users from MEV.
According to the announcement on Twitter, CoW Swap has assured that neither the platform nor the users have been affected by the exploit. User funds are never held by the firm, and hence, users are safe. CoW Swap is under protection as well since the damage is backed by a portion of the bonding pool. The incident kind of started with a solver who goes by the name Barter Solver entering the Solver Competition and setting up approval for a bad contract that was deployed 12 days ago.
The approval allowed anyone to transfer from the settlement contract, precisely the aspect that the hacker misused to transfer the funds to their wallets. The hacker performed a malicious act last night to transfer approximately $166k from the settlement contract to their wallet.
At the time of writing, all the approvals to the bad contract have been revoked to prevent any other malicious activity from happening. Barter Solver has also upgraded to a new contract with no built-in arbitrary execution code functionality.
The Solver Competition is a regular competition by CoW Swap where it allows external parties to find the best execution route for the users. Solvers are granted access to a settlement contract individually, with every settlement contract storing fees of not more than a week. Solvers are added to the competition only after they contribute to the bond pool that is utilized in a situation of malicious activity.
Users’ funds are never at risk, assured CoW Swap in one of the Tweets from the thread, where it also informed that the losses are capped at the weekly revenue under the protection of the bonding pool created by solvers.
Users, first scarred, are now beginning to grasp the reality of the security over their funds with CoW Swap. One of the users has raised a question asking about the mitigation process for the future, as the flow could still be better.
Another user has advised everyone to revoke the affected contract and instead browse other high-risk approvals. Any further comment from CoW Swap is awaited, but the assurance should suffice for the present moment.
CoW Swap has also published a detailed blog post to break down the manner in which the hacker was able to exploit an external solver to drain the settlement contract.