CIP-DRAFT: Discretionary grants program for victims of the cow.fi domain hijacking

Governance
1

SIMPLE SUMMARY

This CIP proposes the creation of a discretionary grants program to provide support to victims of the cow.fi domain hijacking of April 14, 2026. It also specifies criteria for submitting and verifying claims, as well as a timeline for opening and closing the discretionary grants program.

MOTIVATION

As documented in the CoW.fi Domain Hijack Post-Mortem, the domain registrar (Gandi SAS) used by CoW Swap’s DNS holder (AWS Route 53) was exploited on April 14, 2026, in a social engineering attack that gave hackers control of the cow.fi domain for approximately 4.5 hours. During this time, hackers were able to serve a “phishing” website that tricked cow.fi visitors into signing malicious transactions that drained tokens from their wallets. The core team estimates that approximately 1.2M USDC worth of user funds were taken from users as a result of this incident.

Despite the fact that CoW Swap was not hacked and was in no way responsible for the security failures that led to the success of the attack on its domain registrar, we take our relationship with our users seriously, and we recognize that these relationships are built on trust. Therefore, we believe it is right and proper to do what we can to assist CoW Swap users that lost funds during the aforementioned incident.

SPECIFICATION

To help users recover their funds, the core team is asking for a mandate from the DAO to pursue, where necessary, any legal actions linked to this specific incident.

Additionally, the core team proposes the establishment of a discretionary grants program designed to provide voluntary financial assistance to users impacted by the recent incident.

To be eligible for a relief grant, users will need to submit claims via help@cow.fi by May 14, 2026 and have their claims verified by the core team. Verification is not straightforward, given the fact that the malicious drainer contract was live on multiple websites at the same time. Because of this, claims must meet the following criteria for verification:

  • The wallet must have traded on CoW Swap at least once before the incident took place

  • The wallet owner must have signed a malicious message or transaction with the specific drainer contract active on the “phishing” site that impersonated CoW Swap during the incident (notably, we hold the view that it is not appropriate to refund users who entered their wallet’s seed phrase, as this is not behavior that impersonates CoW Swap – or any DEX for that matter)

  • The wallet owner must identify themselves by following a KYC process (this is needed to ensure that the CoW Foundation entity processing the discretionary grant distributions is complying with local laws; information collected as part of this process will be destroyed within 30 days of grants being paid)

To submit a claim, affected users must send an email to help@cow.fi by May 14, 2026 with the subject line “Discretionary Grant Claim for CoW.Fi Domain Hijack Incident” and text in the email body that includes the impacted wallet address, the specific assets drained, and the name of the wallet owner. As soon as a claim is matched with onchain data, help@cow.fi will reply with KYC instructions for final verification.

Once a claim is verified, the CoW DAO treasury team will transfer the USDC value of the amount a verified user lost at the time of the incident to the user’s wallet.

--

Any payment made under the program is voluntary, ex gratia in nature, and does not constitute an admission of liability, fault, or legal obligation on the part of CoW DAO, its tokenholders, contributors, adjacent legal entities, or service providers.

As a condition of receiving this payment, the recipient agrees that, to the fullest extent permitted by applicable law, the payment fully and finally settles any claim the recipient may have against CoW DAO, its tokenholders, contributors, adjacent legal entities, and service providers arising out of the specific incident described in this program. This does not affect any rights that cannot lawfully be waived.

This discretionary grant program will be funded via a one-time, exceptional mandate of the Legal Defense Reserve. This specific allocation is restricted to providing discretionary payments of up to 100% of the assets lost by CoW Swap users that were impacted by the signing of malicious messages or transactions during this specific incident and fulfilling the eligibility criteria listed above. Aside from this singular event, the standing mandate and restrictive use cases of the Legal Defense Reserve remain unchanged, as originally defined in CIP-50. This disbursement is an isolated, ex gratia gesture and does not establish a precedent for future use of the Legal Defense Reserve for purposes outside its primary defensive scope.

TIMELINE

The anticipated timeline for the discretionary grants program is as follows:

  • April 23 - CIP Draft posted to the forum

  • April 30 - CIP voting period begins on Snapshot

  • May 7 - CIP accepted or rejected via Snapshot

  • May 14 - All claims due to help@cow.fi; claim verification begins

  • May 21 - Claim verification complete; CoW DAO treasury starts issuing relief grants

  • May 31 - All discretionary grants paid; discretionary grants program is concluded

After all discretionary grants are paid, the treasury team will resume “topping up” the amount depleted from the Legal Defense Reserve until the total amount in that wallet reaches a value of 5M USDC, per its current mandate.

The timeline for the legal process is hard to predict. However, it is expected that the core team will keep the community appraised of key developments in the process.

EXECUTION

N/A

2

(notably, we hold the view that it is not appropriate to refund users who entered their wallet’s seed phrase, as this is not behavior that impersonates CoW Swap – or any DEX for that matter)

Seriously?! the interface on swap.cow.fi - at least on mobile where we were affected - stole seed phrases by posing as part of the parent web3 browser. that’s like if the connect wallet button on a browser was able to launch a native keychain prompt that prompted for a password. i would argue that is way worse as it capitalizes on that “autopilot response” that makes exploits like this so successful.

i’m very surprised by this, and am almost wondering if this is specifically trying to single us out since we were the biggest loser and accounted for half the losses. in which case couldn’t you guys at least have offered a partial refund? not to mention that we’ve probably generated more than 50% our loss in revenue for cowswap..

there’s at least 10 different ways you guys could’ve gone here that makes more sense. at least including us in the conversation being one of them

3

I find this proposal very strong. I also agree that COW DAO should not refund users who compromised their own security by entering their seed phrase.

In the event that some funds are recovered through law enforcement efforts, how will those funds be allocated? Would they be directed to the legal protection fund?

4

Time to invest in hardware wallet bro. I personally was compromised via metamask chrome addon in 2018, and I had 0 refund from metamask even though the addon was officialy from chrome addon stores. That is when i lost $500k cause i was greedy enough to not pay for harwale wallet cause of “it wont happen to me” attitude.

5

First they would be allocated to victims of this incident that do not qualify for a discretionary grant under the terms set forth in this proposal. Then TBD. It is reasonable that they would be directed toward the Legal Defense Reserve, or they could go to the treasury for general use (to fund new initiatives, extend runway, earn interest, etc.).