emergencyBreaking NewsAptera Motors Registers 4.75 Million Shares for Investor ResaleRecessionary Market Volatility Requires Long-Term Investment StrategyBitcoin Recovery Erases MicroStrategy's $14.5 Billion Unrealized LossPatrick Industries Announces Q1 Earnings Release Date and Investor Call2027 Social Security COLA projections suggest a $16 monthly gain for SSI beneficiariesAptera Motors Registers 4.75 Million Shares for Investor ResaleRecessionary Market Volatility Requires Long-Term Investment StrategyBitcoin Recovery Erases MicroStrategy's $14.5 Billion Unrealized LossPatrick Industries Announces Q1 Earnings Release Date and Investor Call2027 Social Security COLA projections suggest a $16 monthly gain for SSI beneficiaries
DoiDoi
Credit & Lendingexpand_more
Credit CardsPersonal LoansStudent Loans
Markets & Investingexpand_more
Stocks & ETFsCrypto & BlockchainFed & Macro
Retirement & Benefitsexpand_more
401(k) & IRASocial SecurityRetirement Policy
Real Estateexpand_more
Mortgage RatesHousing Market
Financial Foundationexpand_more
Budgeting & SavingInsurance
Latest News
MarketsPortfolio
The Digital Ledger
Credit & Lending
Markets & Investing
Retirement & Benefits
Real Estate
Financial Foundation
Latest News
Dashboards

Institutional Financial Analysis

Home/Markets & Investing/DEFI EXPLOIT

A DNS Attack Took Down CoW Swap’s Website — Not Its Code, But Users Still Lost Access

BS

Blake Sullivan

DeFi exploit · Apr 16, 2026

A DNS Attack Took Down CoW Swap’s Website — Not Its Code, But Users Still Lost Access

Source: DojiDoji Data Terminal

Users can lose access to a DeFi platform not because its blockchain code failed, but because the website they use to reach it was hijacked.

Related BriefJust now
defi security

Rhea Finance Exploit Drains $7.6 Million and Freezes Assets of 95% of NEAR DeFi Users

Users of Rhea Finance can no longer withdraw their assets. The protocol halted withdrawals to contain damage after an attacker extracted $7.6 million in USDC, USDT, Zcash, and NEAR. The exploit occurred when an attacker deployed fake token contracts and created fresh liquidity pools. These pools distorted price feeds, which misled the oracle and validation layer into validating fraudulent transactions. The attacker bypassed traditional security failures like private key compromises, targeting instead the trust-based logic of the protocol's validation process. Rhea Finance is the primary DEX and lending layer on the NEAR Protocol, and previously held over 95% of the network's DeFi total value locked. Tether froze $3.29 million in USDT tied to the attacker, but $4.31 million remains unrecovered.

On April 14, attackers compromised the DNS system for swap.cow.fi, redirecting traffic from CoW Swap’s official interface to a phishing frontend designed to mimic the real platform. Any user who signed a transaction on that fake site risked approving malicious wallet permissions and losing funds. The underlying smart contracts, however, remained secure.

Related Brief2h ago
defi security

$7.6 million vanished after fake tokens tricked Rhea Finance’s validation system

$7.6 million in legitimate assets were withdrawn from Rhea Finance after an attacker bypassed its validation system using fake token contracts. The exploit relied on injecting liquidity into newly created pools, which deceived the platform’s oracle into recognizing the fraudulent tokens as valid. With that access, the attacker drained funds across the affected pools. Blockchain security firm CertiK traced the attack to a NEAR Protocol wallet address identified as 31ac7a27…. Shortly after the incident, Tether’s CEO Paolo Ardoino confirmed that $3.29 million in USDT linked to the attacker’s wallet had been frozen. Rhea Finance has not yet released an official statement. Users are currently advised to avoid the platform until further notice.

CoW Swap responded by pausing its backend services and APIs to limit exposure. By April 15, the domain was still locked, marking the second day of inaccessibility. A temporary interface went live at swap.cow.finance, but users are urged to confirm its legitimacy through official channels before use.

Related Brief10h ago
decentralized finance

Drift Announces $150 Million Recovery Pool for Hack Victims, Backed by Tether

Affected users of Drift, a Solana-based decentralized finance protocol, will receive compensation through a $150 million recovery plan. Tether has pledged up to $127.5 million to fund the initiative, with other partners contributing up to $20 million. The initial compensation will come from a portion of Drift's revenue and the newly established Recovery Pool. The protocol aims to fully cover $295 million in user losses as its revenue grows. Stolen assets are being traced, and any recovered funds will go directly into the Recovery Pool. Affected users will also receive transferable recovery tokens, separate from the existing Drift token, with details to be disclosed later.

The attack did not breach blockchain-level security. Instead, it exploited a weak point common across decentralized finance: reliance on centralized web infrastructure. Domain registrars and DNS providers operate outside the blockchain, making them targets even when on-chain code is airtight.

Related Brief1d ago
defi security

Polkadot Bridge Exploit Funds Move to Tornado Cash

The exploiter of a Polkadot cross-chain bridge stole $269,000 and transferred the funds into Tornado Cash. The largest single transaction to the mixery was 10 ETH, valued at $231,860. The exploiter's remaining portfolio now contains 423.184 DAI, 0.0206 ETH, 24.49 USDC, and 4.082 EURC. The total current valuation of the portfolio is $512.84.

This is not an isolated case. Protocols like Curve Finance and Balancer have faced similar frontend hijackings. While no funds were directly stolen from CoW Swap’s contracts, the disruption carries consequences. Downtime affects liquidity routing, reduces trading volume, and strains integrations that depend on consistent access.

Related Brief2d ago
defi security

DeFi Users Must Protect Themselves Even When Smart Contracts Are Secure

Users of DeFi platforms can lose funds even when no smart contract is breached — if they grant permissions on a compromised frontend. At 14:54 UTC on April 14, 2026, CoW Swap fell victim to a DNS hijacking attack that redirected traffic from swap.cow.fi to a fake website designed to mimic the legitimate interface. The counterfeit site could prompt users to sign transactions or approve token spending limits, opening the door to unauthorized fund transfers. Though the CoW Protocol’s core systems remained secure, the attack exploited the web layer users trust to access the platform. CoW Swap responded by halting its frontend, APIs, and backend as a precaution, even though only the domain system was breached. Users who interacted with the site after the attack were urged to revoke any token approvals granted since that time. These approvals, once given, allow external contracts to spend user tokens up to a set amount without requiring additional approval. The tool revoke.cash was recommended to quickly and safely remove such access. No widespread losses have been confirmed, a result in part of the platform’s non-custodial architecture: user funds never leave their wallets, and the underlying smart contracts were not compromised. But the incident underscores a growing pattern in decentralized finance — attackers are shifting focus from code exploits to frontend infrastructure. DNS hijacking, often achieved through registrar account breaches or social engineering, allows attackers to intercept users before they ever reach a secure protocol. CoW Swap, a decentralized exchange aggregator using Coincidence of Wants to batch and optimize trades, is built to resist transaction manipulation like MEV. Yet its users still face risk the moment they load the website. Security alerts from CoW DAO and firms like Blockaid helped limit exposure, but protection ultimately depends on user action. This attack did not break blockchain cryptography. It bypassed it entirely. Repeated incidents like this confirm a new rule in DeFi: your wallet is only as secure as your last click. Frontend attacks will continue as long as domain systems and user habits remain weak. The responsibility no longer stops with developers. It extends to every user who must now verify URLs, audit permissions, and revoke access proactively. Decentralized finance is only as strong as its weakest layer. Today, that layer is often the browser.

The CoW token dipped 3% after the news. The deeper cost may be trust: users must now verify not just the protocol, but the very URL they type into their browser. The swap.cow.fi domain remained locked and inaccessible on April 15, entering its second day of disruption.

Related BriefJust now
stablecoins

Tether's contract-level controls block $3.29 million in Rhea Finance exploit funds

Hackers are unable to liquidate or transfer $3.29 million in USDT stolen during the Rhea Finance exploit. Tether CEO Paolo Ardoino confirmed the company froze the funds after on-chain analyst ZachXBT issued an alert identifying the compromised wallets. The freeze was executed through Tether's contract-level controls, which block the transfer of specific tokens. This mechanism prohibits the attackers from moving or laundering the funds via bridges or decentralized exchanges. The Rhea Finance incident involved the unauthorized withdrawal of funds, which triggered the on-chain probe and subsequent intervention.

DeFi exploit

The Ledger Morning

The essential intelligence to start your trading day. Delivered 6:00 AM EST.

Join 50,000+ professionals who start their day with The Digital Ledger.

No spam. Unsubscribe anytime.

Read More Analysis

SEC enforcement action

Optimi Health's Nasdaq IPO Requires 1-for-30 Reverse Split to Meet Listing Price

Optimi Health Corp. will effect a 1-for-30 Reverse Share Split immediately prior to the effectiveness of its registratio…

SEC retail investor rule

Aptera Motors Registers 4.75 Million Shares for Investor Resale

Existing investors in Aptera Motors may now resell 4,751,250 shares of Class B common stock, following an amended Form S…

DoiDoi

© 2026 DojiDoji. All rights reserved.

EditorialEditorial GuidelinesCorrections
LegalPrivacy PolicyTerms of Service
DisclosureSEC DisclosuresAd Choice
SocialX (Twitter)LinkedIn