CoW Swap has warned users that its public frontend, including swap.cow.fi and cow.fi, was compromised in a DNS hijacking incident identified at about 14:54 UTC after Web3 security firm Blockaid detected malicious activity. The breach is significant because it shows how a DeFi platform can remain sound at the smart-contract level while still exposing users through the interface they trust to reach it.
The attack did not target CoW Swap’s on-chain contracts directly. Instead, it affected the user-facing web layer, redirecting visitors to fraudulent lookalike pages designed to capture wallet permissions and facilitate theft. With roughly $1 million in stolen funds linked to the incident, CoW DAO moved quickly to pause the frontend and related services, including backend endpoints and APIs, while it began investigating the scope of the compromise. That response reflects the core reality of the event: this was an operational attack on access and signing flow, not a protocol-level exploit.
Users should revoke all approvals made on CoW Swap after 14:54 UTC today. Tools like https://t.co/CGNBLppgWS make this easy to do. https://t.co/JNEUaTcuVd
— CoW DAO (@CoWSwap) April 14, 2026
A Safe Protocol Can Still Be Dangerous Through a Compromised Frontend
According to the security analysis, the incident stemmed from DNS hijacking that rerouted legitimate domain traffic to malicious replicas. Those fake pages were built to trick users into signing transactions that granted attackers token spend approvals. In practice, that meant the attack was aimed at browser-layer trust and wallet behavior rather than the protocol’s underlying settlement logic. The attackers did not need to break the contracts if they could manipulate the route users took to reach them.
Blockaid’s detection of suspicious activity on the cow.fi domain was the trigger for CoW Swap’s public warning and service pause. That sequence is important because it illustrates how external monitoring can become the first line of defense in incidents where the threat emerges outside the chain itself. In this case, the earliest meaningful signal came from domain-level anomaly detection, not from abnormal contract execution.
The distinction between frontend compromise and contract compromise is more than technical nuance. For traders, treasuries and operational teams, it goes directly to risk management. A protocol may remain intact, audited and functioning exactly as designed, yet users can still be exposed if the web interface that mediates transaction signing is corrupted. That makes frontend integrity a core security dependency, not an ancillary one.
The Immediate Priority Is Wallet Hygiene
CoW Swap and its security advisers have urged users who may have visited the compromised domains to treat the interface as untrusted until the platform confirms remediation. The immediate recommendations are straightforward: avoid interacting with swap.cow.fi or cow.fi, disconnect any wallets that were connected to the frontend, and revoke token approvals granted during the exposure window using approval-checking tools. For affected users, the fastest damage control now lies in cutting wallet permissions before attackers can exploit them further.
The incident is separate from CoW Swap’s March 2026 trading event involving a large $50 million USDT-to-AAVE order that led to about 219 ETH in slippage-related losses. That earlier case was a market-impact problem, not a security failure. The DNS hijack, by contrast, highlights a different and potentially more insidious weakness: the attack surface created by the infrastructure that connects users to DeFi protocols before any on-chain interaction even begins.
CoW DAO’s investigation is ongoing, and any communication delivered through the compromised domains should be treated as suspect until the platform publishes a verified recovery plan and confirms restored domain control. For market participants, the broader lesson is already clear. In DeFi, smart-contract security is only one layer of defense; domain control, interface integrity and transaction-signing hygiene are now just as critical to protecting capital.