CoW Swap Hack Analysis — Arbitrary Callable SwapGuard

CoW Swap Hack Analysis — Arbitrary Callable SwapGuard

Description

On February 7, 2023, there was a hack, and CoW Swap lost $180K as a result. By tricking the CoW swap settlement contract, the attackers were able to approve their contract with the SwapGuard contract which enabled token transfers from CoW swap vaults due to arbitrary caller allowance.

Smart Contract Hack Overview:

• Attacker’s transaction: 0x92f906b,0x90b468
• Attacker’s address: 0x55a37a2e,0xc0e82c
• CoW Protocol: GPv2Settlement: 0x9008d19
• CoW Protocol Official Contract code: 0xdef1ca1f
• SwapGuard Contract Code: 0xcd07a769
• DAI Contract Code: 0x6b175474
• GPv2VaultRelayer Contract code: 0xc92e8bdf7

Decoding the Smart Contract Vulnerability:

• The transferFromAccounts() method internally transfers the DAI tokens from Vault, but the settle() function in the ‘GPv2Settlement’ contract accepts an arbitrary token address from CallData and does not check the token received.

• The attacker can force the GPv2 contract to approve his malicious contract since the settle function permits arbitrary calls and the solver/contract does not validate the interaction data.

• The attacker’s contract moved DAI tokens out of the GPv2Settlement contract as soon as the Swapguard contract was approved, causing a $180,000 loss to the system.

Mitigation and Best Practices:

• There should be input validation on all the critical parameters.
• Access control must be properly implemented, and only the owner of that contract should be allowed to perform any transactions.
• Access control measures must be appropriately implemented in the contract so that sensitive functions are not exposed externally.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord