Cow Swap, a DEX aggregation platform built on the Cow Protocol, confirmed on April 14 that its main frontend swap.cow.fi was subject to DNS hijacking. The attacker redirected users’ traffic to a spoofed website by tampering with DNS records, and deployed a wallet-draining procedure. Cow DAO then paused the protocol’s API and backend services, and users must immediately revoke the relevant approvals.
Complete Event Timeline
UTC 14:54:swap.cow.fi’s DNS records were tampered with, and the attacker began routing traffic to a spoofed trading interface
UTC 15:41:Cow DAO posted a public warning on the X platform, advising users to completely stop interacting with the website during the investigation
UTC 16:24:The official confirmed the DNS hijacking, clearly stating that neither the protocol backend nor the API itself was compromised; the service pause is a preventive measure
UTC 16:33:Cow DAO released specific guidance, requiring users who interacted with the impacted frontend after UTC 14:54 to immediately revoke approvals
UTC 18:15:The team continues monitoring and asks users involved in suspicious transactions to submit transaction hashes for review
As of the time of this report, the protocol is still paused. Cow DAO has not yet announced a full restoration of the service and has not published a complete post-incident analysis report.
How the DNS Hijacking Attack Works: Why DeFi Frontends Are Still a High-Risk Entry Point
DNS hijacking does not require compromising smart contract code. Instead, the attack targets the domain infrastructure layer. By tampering with the DNS records of the target domain, attackers redirect traffic to a spoofed server, and then deploy a wallet-draining program (Wallet Drainer) on the spoofed interface. Once a user connects their wallet or signs an approval on the spoofed interface, the malicious program triggers automatic transfers.
The technical entry point for this kind of attack is typically not in the protocol code, but at the domain service provider management level—including social engineering attacks against customer support personnel, using leaked two-factor authentication (2FA) credentials, or directly hacking into the domain management account. In recent months, multiple DeFi protocols have suffered similar frontend DNS attacks one after another.
Cow Protocol itself is a non-custodial protocol and does not hold any user funds. This risk is limited to users who proactively sign transactions using the compromised frontend. The community has reported scattered suspicious transactions, but as of now, there has been no confirmation of any systemic fund extraction that affects the entire protocol.
Immediate Action Checklist for Affected Users
If you visited swap.cow.fi or cow.fi after UTC 14:54, and connected your wallet or signed any transaction, you should immediately take the following steps:
Emergency Action Guide
Go to revoke.cash:Immediately revoke all relevant contract approvals granted after the above time points
Check your wallet transaction history:Confirm whether there were any unauthorized transfers or unusual approval actions
Stop visiting related domains:Until Cow DAO officially confirms that the “website is safe to use,” avoid visiting swap.cow.fi and cow.fi
Submit the transaction hash:If you find a suspicious transaction, submit the hash value according to Cow DAO’s instructions for a security review
Frequently Asked Questions
How did the DNS hijacking of Cow Protocol happen?
The attacker tampered with the DNS records of swap.cow.fi to redirect legitimate users’ traffic to a spoofed website that deployed a wallet-draining program. These attacks typically involve social engineering against customer support at the domain service provider, or using leaked domain management account 2FA credentials to carry them out, and they do not involve vulnerabilities in the protocol smart-contract layer.
Did this attack affect Cow Protocol’s smart contracts?
No. Cow DAO has confirmed clearly that the smart contracts and on-chain infrastructure were completely unaffected by this incident. The protocol backend and API were also not compromised. The service pause is purely a preventive measure intended to prevent more users from visiting the compromised frontend during the investigation.
How can I tell if I’m affected?
If you accessed swap.cow.fi or cow.fi after UTC 14:54 and connected your wallet, or signed any transaction, you face potential risk. Immediately go to revoke.cash to revoke approvals and carefully review your wallet’s recent transaction history. Keep an eye on Cow DAO’s official X account and wait for the official notice when the service is restored safely.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
KelpDAO's Liquid Staking Token Faces Over $100M Exploitation
Gate News message, according to onchain data, KelpDAO's liquid staking token has been exploited for over $100 million. The incident involves KelpDAO's liquid staking token infrastructure.
GateNews4h ago
Chainalysis Details 'Shadow Crypto Economy' Exposure as Grinex Suspends Operations
Grinex’s shutdown is intensifying scrutiny of crypto laundering tactics, as fund movements suggest behavior inconsistent with typical enforcement actions. Chainalysis analysis highlights patterns that raise questions about whether the activity aligns with a conventional external hack or
Coinpedia5h ago
Rhea Finance Suffers a $18.4 Million Loss After an Oracle Attack: ZachXBT Warns, Tether Freezes 4.34 Million USDT, and the Attacker Returns Some Funds
Rhea Finance suffered an oracle manipulation attack on the NEAR Protocol, with losses reaching $18.4 million—double the initial estimate. The attacker manipulated the pricing of a fake token, causing collateral valuations to be incorrect. Tether froze about $4.34 million in USDT; the attacker returned roughly $3.5 million. To date, more than $7.8 million has been recovered, highlighting the importance of oracle security.
ChainNewsAbmedia14h ago
eth.limo DNS Under Attack, Vitalik Urges Users to Pause Access and Switch to IPFS
Vitalik Buterin warned on April 18 about an attack on the DNS registrar for eth.limo, urging users to avoid accessing vitalik.eth.limo and related pages. He recommended using IPFS as an alternative until the issue is resolved.
GateNews14h ago
Sanctioned Exchange Grinex Hit by $13.7M Hack; Blames Foreign Intelligence Services
Grinex, a sanctioned crypto-ruble exchange, has halted operations due to a cyberattack that stole over $13.74 million in USDT. The attack is believed to involve state-level actors aiming to destabilize Russia's financial system. Grinex is cooperating with law enforcement but has no timeline for resuming services.
Coinpedia22h ago
Figure Faces Short Seller Accusations Over Blockchain Integration Claims; FIGR Stock Down 53% From January Peak
Figure Technology Solutions faced allegations from Morpheus Research of overstating its blockchain technology use, resulting in a significant drop in share prices. Figure defended its operations, highlighting its digital asset features and strong performance metrics.
GateNews04-17 17:11
