CoW Swap Domain Recovery and Incident Update
On April 16, CoW Swap announced that it has regained control of the cow.fi domain and has been operating normally on cow.finance for some time. The team is now gradually transitioning back to the original domain following the security incident.
DNS Registrar as the Attack Entry Point
According to official disclosures, the attack occurred on April 14 when threat actors tricked a domain registrar using falsified documents, gaining control over the cow.fi domain. This was not a protocol or smart contract exploit, but a DNS-level compromise highlighting centralized weak points in Web3 infrastructure.
Two-Stage Phishing Attack Mechanism
After gaining control of the domain, attackers deployed a highly convincing phishing website. The attack unfolded in two stages: first, users were prompted to sign malicious transactions through a wallet drainer; second, fake wallet pop-ups were used to steal seed phrases and passwords, enabling deeper asset compromise.
No Protocol Vulnerability or Key Leakage Confirmed
CoW Swap clarified that no smart contract vulnerability or private key leakage occurred. The incident was isolated to the domain registrar layer, meaning the primary risk stemmed from front-end compromise rather than on-chain infrastructure failure.
User Mitigation and Security Recommendations
Affected users are advised to immediately revoke all token approvals using tools such as Revoke.cash and consider migrating assets to a new wallet. Users are also strongly encouraged to verify official domains before interacting with any DeFi interface.
Front-End Risk and On-Chain Security Boundaries (Trustformer KYT)
This incident highlights the importance of distinguishing between on-chain security and front-end infrastructure risk. Attack chains often exploit approval and signature flows to drain assets. Trustformer KYT helps institutions detect abnormal approval patterns and suspicious fund movements, strengthening real-time risk response in complex threat environments.