CoW Swap reports a DNS attack, advising all traders not to interact with the protocol
CoW Swap reported frontend problems and a DNS hijacking. The protocol called all traders to revoke permissions and avoid losing assets from connected wallets.
CoW Swap, one of the leading DEX trading routing protocols, reported frontend problems. Later, the issue turned out to be a malicious DNS hijacking, allowing bad actors to exploit trader wallets.
The protocol team discovered a DNS hijacking from 14:54 UTC, with the attack lasting over 90 minutes. The backend and APIs were not affected, but the entire routing app was paused.
CoW Swap advised all traders to stop using the main site until further notice.
🚨🚨
UPDATE: CoW Swap experienced a DNS hijacking at 14:54 UTC (approximately 90 minutes ago).
The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.
We are now actively working to resolve the situation. Please continue to…
— CoW DAO (@CoWSwap) April 14, 2026
DNS hijacking is extremely risky for Web3, as the attack can go unnoticed and drain connected wallets. The CoW Swap frontend is one of the trusted links to DEX trading, which could steal funds even without a backend exploit.
Within three hours of the attack, the compromised site led to $1M in stolen funds. One of the flagged addresses managed to intercept 219 ETH from a trader’s wallet. The exact size of the exploit depends on how many more wallets interact with the protocol, and if permission has exposed a whale wallet.
How does a DNS attack affect CoW Swap users?
The CoW Swap official address was compromised at the domain level, affecting anyone who used the site as an entry point.
Swap.cow dot fi could be redirecting users to a malicious site, which can then be used to extract wallet credentials, permissions, or even seed phrases from users. The site could have been compromised at a deeper level, allowing it to redirect traffic to a malicious web server.
Users still see the official address, which looks legitimate. The Cow Swap contracts are not affected, and the APIs are still usable in theory, but the protocol team warned against using the app until it is deemed safe.
For recent interactions, the best action is to revoke all permissions made through the site, using services like Revoke Cash. Traders can use the service to check the list of wallet permissions and disconnect all unknown connections or CoW Protocol permissions.
Cow Protocol attack reveals another Web3 weakness
Cow Swap has been one of the main hubs for Web3 trading. The router handled around $3.8B in volumes for March and around $1.22B in April to date. Weekly volumes have established a baseline of around $700M.
The protocol is the most active router for the best DEX pricing, used widely on EVM-compatible chains. Cow Protocol is active on Ethereum, Gnosis, Arbitrum, Base, Polygon, Avalanche, and Lens Network. In recent months, CoW Protocol has been more widely used for BNB Chain trading.
The recent DNS attack follows a series of Web3 attempts, often resulting in significant losses. The case gained additional attention after the recent Drift Protocol hack. Web3 attacks are becoming more common, leaving analysts to suspect the involvement of AI in monitoring weaknesses.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Recommended Articles
