The attacker reportedly added a wallet address as a “solver” of CoW Swap.
BNB worth over $181,000 transferred to the cryptocurrency mixer Tornado Cash.
A vulnerability in the smart contracts underlying the decentralized finance (DeFi) protocol CoW Swap has resulted in the theft of around 551 BNB worth around $181,600. The attacker reportedly added a wallet address as a “solver” of CoW Swap. And then used a transaction to authorize DAI transfers to SwapGuard before transferring the funds to another address.
Moreover, the blockchain monitoring company MevRefund was the first to identify the intrusion. The money was transferred from CoW Swap, and the protocol’s SwapGuard feature had been approved. Allowing anybody to execute “arbitrary function calls.”
PeckShield, a blockchain security company, disclosed within an hour that ten days earlier, SwapGuard was able to deceive CoW Swap’s GPv2Settlement contract into accepting DAI spending. When the exploit was launched, the attacker had just used the SwapGuard to remove DAI from the GPv2Settlement contract.
Transferred to Tornado Cash
Moreover, BlockSec, a blockchain security platform, provided more context, explaining that the attacker had approved transactions because they had added a wallet address as a solver of the protocol through multi-sig. The exploiter might authorize payments to whatever address they pleased after the DAI transfer was allowed by the settlement contract.
BNB, USDT, USDC, and ETH tokens have all been sent to the address of the exploiter. There have been around 551 BNB worth over $181,000 transferred to the cryptocurrency mixer Tornado Cash, which is sanctioned by the OFAC.
Furthermore, CoW Swap assured its customers that the stolen cash was a weeks’ worth of fees. The organization said the problem has been fixed and an investigation is underway.