CoW Swap Halts Protocol After Website Compromise
CoW Swap, the Ethereum-based decentralized exchange aggregator, paused its protocol on April 14, 2026, after attackers seized control of its website domain and redirected users to a malicious site engineered to harvest wallet approvals, with cybersecurity researcher Vladimir S. estimating approximately $500,000 in digital assets drained, and at least one user reporting individual losses exceeding $50,000.
The protocol’s underlying smart contracts and backend APIs were confirmed unaffected; the attack surface was the front-end interface alone. We suspect this is less a story about CoW Swap’s specific security posture and more a structural signal about the DeFi industry’s persistent, underweighted exposure to UI-layer infrastructure attacks – a threat vector that smart contract audits do not reach.
DISCOVER: Best crypto to buy right now – CoinSpeaker’s updated guide
CoW Swap Front-End Compromise: DNS Hijacking, Malicious Approvals, and What the Protocol Has Confirmed
The mechanism functions as follows: attackers gained administrative control of CoW Swap’s website domain – the cow.fi address that users navigate to before interacting with the protocol – and redirected that domain to a malicious site designed to mimic the legitimate interface.
Users who visited the site and signed transaction approvals during the window following 14:54 UTC on April 14 were exposed to wallet-draining transfers, without any indication at the domain level that anything was amiss.
UPDATE: The swap dot cow dot fi domain is currently locked and not accessible. We are working with security experts to assert control over the domain while it is locked, but we *do not* expect it to be live again tonight.
For those who rely on CoW Swap daily, we have spun up a… https://t.co/gtoeMfxYEy
— CoW DAO (@CoWSwap) April 14, 2026
Blockchain security firm Blockaid detected and flagged the malicious activity on the cow.fi domain, identifying it as a frontend attack capable of tricking users into signing draining transactions.
CoW Swap’s team confirmed the situation in a public statement: “We are now actively working to resolve the situation. The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.”
MooKeeper, a pseudonymous member of the CoW Swap team, said that the scope of losses remains under active investigation and that a fuller assessment would follow, adding: “We have evidence that a small number of users signed malicious approvals for very small amounts.”
That characterization sits in tension with Vladimir S.’s on-chain estimate of $500,000 drained from multiple addresses – a figure that some reports suggested could approach $1 million within three hours of the attack’s disclosure, though that higher figure has not been independently confirmed.
It is necessary to flag the epistemic status of several details here: the precise total of stolen funds, the identity of the attackers, and the full list of affected wallets remain unconfirmed in public disclosures at the time of writing.
The CoW Swap frontend is back up at https://t.co/428UojJIdq.
Make sure you only sign approvals to 0xc92e8bdf79f0507f65a392b0ab4667716bfe0110 (the original GPv2VaultRelayer contract) https://t.co/phQqIbzPAR
— Felix Leupold (@fleupold_) April 14, 2026
CoW DAO advised all users to revoke any approvals granted to CoW Swap after 14:54 UTC on April 14, recommending tools such as revoke cash for that process. Martin Köppelmann, co-founder and CEO of decentralized infrastructure provider Gnosis, noted that exposure appears limited to users who approved protocol interactions within the few hours the compromised domain was active. Aave separately disabled CoW Swap endpoints for its integrators as a precautionary measure, confirming that Aave’s own interface and protocol were not affected.
EXPLORE: Best meme coins to watch – CoinSpeaker’s updated rankings
next