A cow swap security incident left the decentralized exchange facing losses of $1.2 million after a coordinated domain takeover on April 14.
Summary
Domain weakness triggered the attack
The breach did not affect the platform’s core protocol. However, attackers exploited its domain management system and redirected users to a malicious website that closely mirrored the official interface.
The team said social engineering helped the attackers seize control of the cow.fi domain briefly. That allowed them to guide visitors toward a fake page and capture wallet interactions.
Users who reached the counterfeit site were prompted to connect wallets and approve transactions. In practice, that turned the event into a wallet approval scam that caused losses despite the protocol remaining secure.
Rapid response limited the damage
CoW Swap detected the issue within minutes and resolved the emergency response in around 19 minutes. Moreover, the team temporarily moved operations to a new domain while it repaired the compromised one.
The attack has been linked to a supply-chain problem involving domain hijacking. Even so, the team said its core systems, smart contracts, and user funds were never directly hacked.
Within roughly 26 hours, the original domain returned with stronger protections, including advanced security locks. The team also launched external audits, began legal action, and is exploring compensation for users.
Industry reaction and next steps
The incident came after the Drift protocol hack, which reportedly caused losses of about $220–$270 million. Moreover, Aave said the event did not affect its system or protocol, although it suspended access to endpoints tied to CoW Swap integration for security reasons.
A post-mortem report said the platform is now safe to use. The statement read: Current Status: swap.cow.fi is fully operational and safe to use. It added that the domain was recovered, restored to the AWS account with a registry lock, and placed back into normal service.
That said, the report also noted that the incident matches a documented pattern of .fi domain hijacks targeting crypto projects. For now, CoW Swap says users can access the platform with confidence.
