Cow Protocol Halts Trading After Frontend Domain Hijack – Bitcoin News
Key Takeaways:
Cow Swap’s frontend at swap.cow.fi was hijacked via DNS at 14:54 UTC on April 14, 2026. Cow DAO paused Cow Protocol’s APIs and backend as a precaution, with no confirmed contract-level losses reported. Users who interacted with swap.cow.fi after 14:54 UTC should revoke approvals immediately using revoke.cash.
Cow Swap Pauses Protocol After DNS Hijacking Hits Frontend Domain
The hijack was detected at approximately 14:54 UTC on April 14, 2026. Cow DAO issued a public warning on X at roughly 15:41 UTC, advising users to stop interacting with the site entirely while the team investigated.
A follow-up post at 16:24 UTC confirmed the DNS hijacking and noted that Cow Protocol’s backend and APIs were not affected. The team paused those services anyway as a precaution.
DNS hijacking is a well-known attack method in decentralized finance ( DeFi). Attackers gain control of domain registrar settings, redirect traffic to a lookalike site, and deploy wallet drainers that trigger malicious transactions when users connect their wallets or sign approvals.
Cow Swap operates as a non-custodial platform, meaning the protocol itself does not hold user funds. Smart contracts and on-chain infrastructure were not touched in this incident. The risk was limited to users who visited the compromised frontend and signed transactions after 14:54 UTC.
Cow DAO posted guidance at 16:33 UTC instructing affected users to revoke any approvals granted after that time. The team pointed to revoke.cash as a tool for doing so.
No large-scale confirmed losses were reported as of late afternoon UTC. Community members flagged isolated suspicious transactions, but there was no evidence of a systemic drain affecting the broader protocol.
Security tool Blockaid flagged swap.cow.fi and related domains, including cow.fi during the incident window. The team continued monitoring through approximately 18:15 UTC and asked users with potentially affected transactions to submit their transaction hashes for review.
As of the latest available information, the protocol remained paused, and Cow DAO had not confirmed full restoration or released a post-mortem.
Frontend and DNS attacks have targeted several DeFi protocols in recent months. These incidents typically exploit registrar-level weaknesses, such as social engineering support staff or compromised two-factor authentication credentials, rather than any flaw in smart contract code.
Cow Protocol is part of the Gnosis ecosystem and uses batch auctions and Coincidence of Wants matching to provide MEV-protected trades. The protocol has processed billions of dollars in volume since launch.
A full post-mortem from Cow DAO is expected once the DNS issue is resolved and the site is confirmed safe to use.
