Key points to remember:
- The Cow Swap interface at swap.cow.fi was hijacked via DNS at 2:54 p.m. UTC on April 14, 2026.
- Cow DAO has suspended the Cow Protocol APIs and backend as a precautionary measure, with no confirmed contract-level losses reported.
- Users who interacted with swap.cow.fi after 2:54 p.m. UTC should immediately revoke approvals using revoke.cash.
Cow Swap Discontinues Protocol After DNS Hijack Reaches Front End Domain
The hijacking was detected around 2:54 p.m. UTC on April 14, 2026. Cow DAO issued a public warning on X around 3:41 p.m. UTC, advising users to stop interacting with the site entirely while the team investigated.
A follow-up message at 4:24 p.m. UTC confirmed the DNS hijack and noted that Cow Protocol’s backend and APIs were not affected. The team still suspended these services as a precaution.
DNS hijacking is a well-known attack method in decentralized finance ( Challenge). Attackers take control of domain registrar settings, redirect traffic to a similar site, and deploy wallet drainers that trigger malicious transactions when users connect their wallets or sign approvals.
Cow Swap operates as a non-custodial platform, meaning the protocol itself does not hold user funds. Smart contracts and on-chain infrastructure were not impacted during this incident. The risk was limited to users who visited the compromised frontend and signed transactions after 2:54 p.m. UTC.
Cow DAO advice issued at 16:33 UTC educate affected users to revoke any approval granted after this date. The team highlighted revoke.cash as a tool to do this.
No confirmed large-scale losses were reported as of late afternoon UTC. Community members reported isolated suspicious transactions, but there was no evidence of a systemic leak affecting the protocol as a whole.
Blockaid security tool reported swap.cow.fi and associated domains including cow.fi during the incident window. The team continued monitoring until approximately 6:15 p.m. UTC and asked users whose transactions were potentially affected to submit their transaction hashes for review.
According to the latest information available, the protocol remained on pause and Cow DAO had not confirmed the full restoration nor published an autopsy.
Frontend and DNS attacks targeted several Challenge protocols in recent months. These incidents typically exploit weaknesses at the registrar level, such as social engineering support staff or compromised two-factor authentication credentials, rather than any flaws in the system. smart contract code.
Cow Protocol is part of the Gnosis ecosystem and uses batch auctions and desire matching to provide MEV-protected trades. The protocol has processed billions of dollars in volume since launch.
A full autopsy of Cow DAO is expected once the DNS issue is resolved and it is confirmed safe to use the site.
