Cow Protocol suffers a DNS hijacking; users must immediately revoke permissions

Cow Swap, a DEX aggregation platform built on the Cow Protocol, confirmed on April 14 that its main frontend swap.cow.fi was subject to DNS hijacking. The attacker redirected users’ traffic to a spoofed website by tampering with DNS records, and deployed a wallet-draining procedure. Cow DAO then paused the protocol’s API and backend services, and users must immediately revoke the relevant approvals.

Complete Event Timeline

UTC 14:54：swap.cow.fi’s DNS records were tampered with, and the attacker began routing traffic to a spoofed trading interface

UTC 15:41：Cow DAO posted a public warning on the X platform, advising users to completely stop interacting with the website during the investigation

UTC 16:24：The official confirmed the DNS hijacking, clearly stating that neither the protocol backend nor the API itself was compromised; the service pause is a preventive measure

UTC 16:33：Cow DAO released specific guidance, requiring users who interacted with the impacted frontend after UTC 14:54 to immediately revoke approvals

UTC 18:15：The team continues monitoring and asks users involved in suspicious transactions to submit transaction hashes for review

As of the time of this report, the protocol is still paused. Cow DAO has not yet announced a full restoration of the service and has not published a complete post-incident analysis report.

How the DNS Hijacking Attack Works: Why DeFi Frontends Are Still a High-Risk Entry Point

DNS hijacking does not require compromising smart contract code. Instead, the attack targets the domain infrastructure layer. By tampering with the DNS records of the target domain, attackers redirect traffic to a spoofed server, and then deploy a wallet-draining program (Wallet Drainer) on the spoofed interface. Once a user connects their wallet or signs an approval on the spoofed interface, the malicious program triggers automatic transfers.

The technical entry point for this kind of attack is typically not in the protocol code, but at the domain service provider management level—including social engineering attacks against customer support personnel, using leaked two-factor authentication (2FA) credentials, or directly hacking into the domain management account. In recent months, multiple DeFi protocols have suffered similar frontend DNS attacks one after another.

Cow Protocol itself is a non-custodial protocol and does not hold any user funds. This risk is limited to users who proactively sign transactions using the compromised frontend. The community has reported scattered suspicious transactions, but as of now, there has been no confirmation of any systemic fund extraction that affects the entire protocol.

Immediate Action Checklist for Affected Users

If you visited swap.cow.fi or cow.fi after UTC 14:54, and connected your wallet or signed any transaction, you should immediately take the following steps:

Emergency Action Guide

Go to revoke.cash：Immediately revoke all relevant contract approvals granted after the above time points

Check your wallet transaction history：Confirm whether there were any unauthorized transfers or unusual approval actions

Stop visiting related domains：Until Cow DAO officially confirms that the “website is safe to use,” avoid visiting swap.cow.fi and cow.fi

Submit the transaction hash：If you find a suspicious transaction, submit the hash value according to Cow DAO’s instructions for a security review

Frequently Asked Questions

How did the DNS hijacking of Cow Protocol happen?

The attacker tampered with the DNS records of swap.cow.fi to redirect legitimate users’ traffic to a spoofed website that deployed a wallet-draining program. These attacks typically involve social engineering against customer support at the domain service provider, or using leaked domain management account 2FA credentials to carry them out, and they do not involve vulnerabilities in the protocol smart-contract layer.

Did this attack affect Cow Protocol’s smart contracts?

No. Cow DAO has confirmed clearly that the smart contracts and on-chain infrastructure were completely unaffected by this incident. The protocol backend and API were also not compromised. The service pause is purely a preventive measure intended to prevent more users from visiting the compromised frontend during the investigation.

How can I tell if I’m affected?

If you accessed swap.cow.fi or cow.fi after UTC 14:54 and connected your wallet, or signed any transaction, you face potential risk. Immediately go to revoke.cash to revoke approvals and carefully review your wallet’s recent transaction history. Keep an eye on Cow DAO’s official X account and wait for the official notice when the service is restored safely.