The popular DEX aggregator temporarily paused its backend after attackers redirected it's frontend domain to a malicious site, exposing users to unauthorized wallet approvals.
CoW Swap, one of Ethereum's top decentralized exchange aggregators, temporarily paused it's platform on Tuesday after a DNS hijacking attack redirected users from its website, marking one of DeFi’s most high-profile front-end security incidents of the month.
The hijacking was detected at approximately 14:54 UTC on April 14. CoW DAO issued a public warning on X at roughly 15:41 UTC, advising users to stop interacting with the site entirely while the team investigated.
The attack was initially flagged by Web3 security firm Blockaid, which identified a front-end attack on CoW Swap and flagged cow.fi as malicious. Blockaid urged users to revoke approvals immediately if their wallet had been connected and to avoid any interaction with the dApp.
A cybersecurity researcher on X estimated roughly $500,000 was drained from several addresses, but the project confirmed its smart contracts and backend systems were not impacted and that a fuller assessment would be released later in the week. Attackers changed the domain users normally visit and sent traffic to a fake interface that prompted wallet approvals, allowing transfers from user wallets while the on-chain contracts remained intact.
Gnosis co-founder Martin Köppelmann said the attack's impact appears limited and that only users who approved interactions with CoW Swap in the hours before the incident are potentially affected.
CoW Swap operates via a "Coincidence of Wants" mechanism matching trades directly between users or batching them for more efficient execution. The protocol markets itself around MEV protection and currently supports activity across major networks including Ethereum, Base, Polygon, Arbitrum, Gnosis, Avalanche, BNB, Linea, Plasma, and Ink.
Curve Finance also confirmed a DNS record compromise that same day, redirecting visitors to a fraudulent site. Curve previously suffered a DNS hijack in 2022 that resulted in about $570,000 in losses.
The COW token dropped over 3% in response to the security disclosure, sliding from $0.2229 to $0.2134 almost immediately after the DAO's warning went live on X.
First quarter 2026 saw Web3 platforms lose $482 million to security breaches and fraudulent schemes, according to Hacken data. Security specialists stress that while smart contract code can be hardened, front-end and DNS infrastructure remain a persistent weak point, one that even well-established protocols are still struggling to close.
CoW Swap spun up a new instance of its UI at a temporary URL to allow users to continue accessing the protocol as the team works to fully restore its compromised domain. A full post-mortem from CoW DAO is expected once the DNS issue is resolved.