'Solver' Hacks CoW Swap
DEX Says a 'Solver' Perpetrated the Heist and Customer Funds Are Safe
By: Samuel Haig •Byte
Hackers exploited the CoW Swap decentralized exchange on Tuesday and stole $166,000 worth of BNB from a wallet controlled by the protocol, according to the company.
In a twist, CoW Swap identified the hacker on Twitter as one of its market makers.
PeckShield, the blockchain security firm, disclosed the incident on social media and said one of CoW Swap’s smart contracts was compromised 10 days ago. The firm said the hacker transferred 551 BNB to Tornado Cash, a coin-mixing protocol, on Tuesday.
Kelvin Fichter of OP Labs tweeted that the exploiter tricked CoW Swap into granting the SwapGuard contract approval for DAI transactions of an unlimited value. He said the SwapGuard contract was intended to “limit the amount of tokens that can be lost in a single transaction.”
While some Twitter users urged CoW Swap customers to revoke wallet permissions granted to the exchange, CoW Swap said user funds are safe.
“Users don’t need to revoke approvals!” the DEX tweeted. “The CoW Swap settlement contract only stores fees that the protocol accrued over the week. “It cannot access user funds directly without providing an order signed by the user and giving them at least their limit-buy amount in return.”
Aave Opens Door for Lido Rewards Across Three Networks
Lido Has Skyrocketed 58% in Last 30 Days as LSD Story Picks up MojoThe Defiant
The platform later identified the exploit as having been facilitated by one of its “solvers,” Solvers are external parties that compete to find the best execution route for traders. They must post a bond that can be slashed in the event of malicious behavior.
‘The Barter Solver’
CoW Swap said the entity, dubbed “The Barter Solver,” signed up 10 days ago. After being whitelisted, The Barter Solver approved a malicious contract that allowed the exploit to occur.
CoW Swap told The Defiant on Wednesday that it immediately revoked all approvals for the barter solver, and thus indirectly, to the affected intermediary contract, Swapguard. The barter solvers already repaid the stolen amount, CoW Swap said.
CoW Swap is a decentralized exchange that uses a hybrid order book system for trade settlement to mitigate the risks of Maximal Extractable Value (MEV) — techniques used by validators to extract profits from on-chain transactions through arbitrage.
CoW Swap executes trades in batches, pairing buyers with sellers and providing the best mean price available. CoW Swap is powered by the 0x decentralized exchange protocol.
In an appearance on The Defiant podcast, Will Warren, the co-founder of 0x, described CoW Swap’s Frequent Batch Auction settlement system as “compelling.”
“If there are a bunch of people that are… on opposite sides of the same market, instead of having both of them cross over the bids spread, they can meet in the middle and they can both get a better price because they just happen to want to do a trade at the same time,” Warren said.
“The challenge is that you have to have a high frequency of people submitting trades in the same period of time for you to really get a beneficial price improvement,” he continued. “I don’t think it’s necessarily eliminating MEV today, but it could get there.”
CoW Swap processed $61M worth of trades over the past 24 hours, according to Dapp Radar. That figure ranks CoW Swap as the 11th-largest DEX by volume, according to CoinGecko.
Story updated on Feb. 9 to report details on CoW Swap revoking approvals for the barter solver and that Twitter users, not CoW Swap investors were urging customers to revoke wallet permissions.