Ethereum DeFi Exchange CoW Swap Pauses Protocol Following Website Compromise

In brief

• CoW Swap, an Ethereum-based decentralized exchange aggregator, warned users to avoid interacting with its protocol after suffering a front-end compromise.
• Although the scope of losses was initially unclear, one noted cybersecurity researcher estimated that $500,000 had been taken from unsuspecting users so far.
• CoW Swap said the attack didn’t affect the protocol’s underlying smart contracts, but the decentralized exchange aggregator had been paused as a precaution.

CoW Swap, an Ethereum-based decentralized exchange aggregator, warned users on Tuesday to avoid using the protocol, disclosing that its front-end interface had been compromised. “We are now actively working to resolve the situation,” the project frequently used by Ethereum co-founder Vitalik Buterin said in a post to X. “The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.” CoW Swap indicated that attackers had gained control of the website domain that users typically visit before engaging with the protocol. That gave bad actors the opportunity to direct users to a different website where funds could be stolen through the approval of malicious transfers.

Although the compromise didn’t affect CoW Swap’s underlying smart contracts, the protocol appeared to remain frozen three hours after the attack was divulged. Meanwhile, users on Discord reported losses within the project’s official server.

Users should revoke all approvals made on CoW Swap after 14:54 UTC today. Tools like https://t.co/CGNBLppgWS make this easy to do. https://t.co/JNEUaTcuVd

— CoW DAO (@CoWSwap) April 14, 2026

“I don’t know what to do anymore,” said one user who claimed that they lost more than $50,000 via CoW Swap’s compromised front end. “I have no money at all.” Despite apparent frustrations, the scope of losses sustained wasn’t immediately clear.

A pseudonymous member of the CoW Swap team who goes by MooKeeper told _Decrypt _that reports are actively being investigated and verified. They added that a more complete assessment would be released tomorrow or later this week.  “We have evidence that a small number of users signed malicious approvals for very small amounts,” MooKeeper added. Still, a noted cybersecurity researcher who goes by Vladimir S. on X said that around $500,000 worth of digital assets had been “drained from a few addresses so far.” Martin Köppelmann, co-founder and CEO of decentralized infrastructure provider Gnosis, noted in a post to X that the attack’s scope appears limited. He said that users are potentially affected only if they approved interactions with CoW Swap within the past few hours. Websites that try to trick users by mimicking established DeFi projects aren’t entirely uncommon. Last year, for example, Curve Finance suffered its second DNS hijack. The first one, which took place in 2022, resulted in $570,000 in losses for users. Buterin, who has swapped notable amounts of Ethereum for stablecoins using CoW Swap this year, had engaged with the protocol as recently as a week ago, data from on-chain analytics firm Arkham Intelligence showed. In 2024, he also used the decentralized exchange aggregator to offload holdings of a meme coin modeled on a baby pygmy hippo from Thailand.