CoW Swap Frontend Flagged as Malicious: Users Told to Revoke Approvals

CoW Swap's web frontend was flagged as malicious Wednesday, prompting security researchers and the protocol's own team to warn users to avoid the site and immediately revoke any token approvals connected to the platform.

The warning spread rapidly across crypto security circles after multiple sources identified suspicious behavior tied to the CoW Swap interface. Users who had recently interacted with the frontend were urged to visit a token approval management tool — such as Revoke.cash or Etherscan's approval checker — and remove permissions granted to any associated contracts before funds could be drained.

CoW Swap, a decentralized exchange aggregator built on the CoW Protocol, routes trades through a batch auction system designed to protect users from MEV attacks and offer competitive pricing. The protocol has accumulated significant trading volume since its launch and is widely used across the Ethereum ecosystem. Its architecture relies on off-chain signed orders, meaning users grant approvals to smart contracts that execute trades on their behalf — a structure that becomes a liability if the frontend serving those interactions is compromised.

The nature of the compromise pointed toward a supply chain attack or DNS hijacking, categories of exploit that have become increasingly common against DeFi frontends. In this attack vector, the underlying smart contracts remain untouched. Instead, the interface users interact with is manipulated to serve malicious code, redirect approvals, or substitute attacker-controlled contract addresses. The result is that users acting in good faith can unknowingly authorize a hostile contract to move their tokens.

This attack pattern has claimed victims across the DeFi space in recent years. Curve Finance, BadgerDAO, and several other protocols have faced similar frontend compromises, with losses ranging from hundreds of thousands to tens of millions of dollars. The common thread is that smart contract audits offer no protection when the attack surface is the website itself.

Security firm Blockaid, which provides real-time threat detection for wallets and dApps, was among those flagging the CoW Swap domain. Wallet providers that integrate Blockaid's tooling would have displayed warnings to users attempting to connect, though users without such protections may have proceeded unaware.

At time of reporting, the CoW Protocol team had acknowledged the situation and was working to identify the root cause and restore a clean frontend. The team directed users away from the compromised domain and advised against signing any transactions until the issue was resolved.

The incident reinforces a persistent vulnerability in decentralized finance: protocols may be trustless at the contract layer while remaining entirely dependent on centralized infrastructure — domain registrars, DNS providers, content delivery networks, and third-party JavaScript libraries — at the interface layer. Each of those dependencies represents a potential point of failure that no amount of on-chain security can address.

Users holding active approvals to CoW Swap contracts should treat revocation as urgent regardless of whether they believe they interacted with the site during the affected window. Approvals do not expire automatically and remain exploitable until explicitly removed.