CoW DAO proposes compensation for victims of the cow.fi domain hijacking, with up to 100% reimbursement of losses

CoW DAO on April 23 published a compensation proposal (CIP) on the governance forum, suggesting the establishment of a discretionary compensation program to provide up to 100% loss reimbursement to victims of the April 14 cow.fi domain hijacking incident. The incident is estimated to have caused user losses of about US$1.2 million in USDC. CoW DAO emphasized that the compensation is of a discretionary, voluntarily disbursed nature and does not indicate any admission of legal liability.

Event Recap: How a 4.5-hour domain hijacking led to a $1.2 million loss

（Source: CoW DAO）

On April 14, 2026, the domain registrar Gandi SAS used by CoW Swap’s DNS servers (AWS Route 53) was subjected to a social engineering attack. The hackers used this vulnerability to control the cow.fi domain for about 4.5 hours, setting up a phishing website to trick visitors into signing malicious transactions and stealing wallet tokens. CoW DAO emphasized that the CoW Swap protocol itself was not attacked by the hackers; the vulnerability existed at the domain registrar layer rather than in the protocol code.

Compensation Eligibility Criteria and Application Process

There are three core eligibility conditions:

Used CoW Swap: The wallet must have conducted at least one transaction on CoW Swap before the incident

Signed a specific malicious transaction: The wallet owner must be someone who signed malicious messages or transactions related to the phishing website’s specific drain contract (Note: users who entered a mnemonic phrase are not included here)

Completed KYC verification: Must pass the identity verification process (KYC information will be destroyed within 30 days after compensation is paid)

Victims need to send an email to help@cow.fi by May 14, with the subject “CoW.Fi domain hijacking incident discretionary compensation claim,” and the body including the affected wallet address(es), the specific assets that were stolen, and the wallet owner’s name.

Key Timeline and Legal Statement

Full timeline: April 30 to May 7 (governance vote) → May 14 (application deadline) → May 21 (claim verification completed) → May 31 (all compensation fully disbursed). After the compensation program ends, the finance team will additionally fund a legal defense reserve authorized up to US$5 million. CoW DAO stated that this compensation is a one-time, isolated measure and does not set a precedent for using the legal defense reserve for purposes outside the primary defensive scope in the future.

Frequently Asked Questions

How can I confirm whether I am eligible for compensation?

You must meet three conditions: you conducted a transaction on CoW Swap before the incident; you signed a malicious transaction related to the phishing website’s specific drain contract from that day; and you completed KYC verification. You can submit an application to help@cow.fi before the May 14 deadline, and the core team will compare on-chain data to verify it.

Can users who entered their wallet mnemonic phrase apply for compensation?

No. CoW DAO clearly points out that users whose mnemonics were exposed via websites requesting the mnemonic phrase are not within the scope of this compensation, because this kind of scam does not involve a phishing attack impersonating CoW Swap and does not fall under the category of victims of this domain hijacking incident.

Does accepting compensation mean waiving legal claims against CoW DAO?

According to the compensation terms, users who accept compensation agree that, to the maximum extent permitted under applicable law, the payment will ultimately resolve all related claims against CoW DAO arising from this specific incident. CoW DAO also states that any rights that cannot be waived under the law will not be affected by this clause.