Governance Inconsistency: Why do we vote to pay back some users, but not others?

The Core Issue

I’m raising a concern regarding the lack of a consistent governance framework when it comes to major treasury movements. Specifically, I’m looking at the stark difference in how we handled the Aave reimbursement versus the current DNS hijack situation.

In both cases, the protocol technically functioned as intended. However, the process for returning funds has been completely different, and it raises some serious questions about how decisions are actually made here.

A Tale of Two Incidents

1. The AAVE Investor Reimbursement (March 12, 2026)

• What happened: A user lost nearly $50M due to a slippage error on Aave’s UI. CoW’s routing protocol generated roughly $600k in fees from this single trade.

• CoW’s Responsibility: Zero. The mistake happened on Aave’s interface, not ours. CoW just provided the back-end routing.

• The Response: The $600k was reimbursed to the user.

• The Governance Gap: This was done without a DAO vote. It was essentially an executive decision to return over half a million dollars of protocol revenue.

2. The DNS Hijack Incident (April 14, 2026)

• What happened: CoW Swap’s official domain (swap.cow.fi) was compromised. Total user losses are around $1.2M.

• CoW’s Responsibility: Significant. Users visited our official site and trusted our brand. This happened on our “front porch.”

• The Response: We are currently being told we need a DAO vote to decide if we should reimburse these victims.

• The Governance Gap: Why is this one being treated as a debate? If anything, this reimbursement is far more justified than the Aave one because the failure happened on our official infrastructure.

The Token Holder’s Perspective: “Heads You Win, Tails We Lose”

As a COW token holder, I’m starting to feel like governance is only a thing when it’s convenient for the team.

• Value Extraction: When the protocol “accidentally” makes $600k from a user’s mistake on another platform, that value belongs to the DAO (and by extension, the token holders). When that money is sent back without a vote, our treasury is being diluted by executive fiat.

• Selective Voting: Why is it that when it’s time to take value away from the DAO (reimbursing the Aave user), there’s no vote, but when we have a moral obligation to protect our own users (DNS hijack), we have to sit through weeks of governance theater?

• The Illusion of Control: If the team can unilaterally decide to give away $600k of DAO revenue, then what is the point of holding COW? We are the first ones to “suck the value from” when it’s time to be generous to outsiders, but we are the last ones consulted when our own reputation is on the line.

The Inconsistency

The optics here are really bad. When we had no responsibility (Aave), $600k was sent back immediately without asking the DAO. But when the fault lies with our own official site (DNS hijack), the team suddenly wants to “ask the DAO” before helping users.

The irony: We bypassed governance to be generous to a user who made a mistake on a different platform, but we are hiding behind a formal vote to delay helping users who were exploited on our own domain.

Why This Matters

1. The Double Standard: If the $600k Aave refund didn’t need a vote, then the DNS refund-which is much more justified-shouldn’t be stuck in a governance bottleneck either.

2. Selective Governance: It feels like governance is being used as a shield to avoid making a hard decision on a $1.2M payout, even though the team already proved they can move $600k without a vote when they want to.

3. Brand Trust: Users who used swap.cow.fi were let down by our infrastructure. Making them wait for a DAO vote while the Aave user got a “fast-track” refund is a slap in the face to our core users.

Proposed Resolution

We need to stop moving the goalposts and respect the token holders.

• Option A: If the Aave reimbursement was “automatic,” the DNS hijack victims should be reimbursed with the same urgency, bypass the vote, and be made whole immediately.

• Option B: If we are a DAO that votes on everything, then the $600k Aave refund was a governance violation and we need a post-mortem on why it was allowed to happen without a proposal.

• Option C: Establish a clear rule: If a loss happens on an official CoW Swap interface, reimbursement is automatic up to a certain threshold.

Questions for the DAO

1. Why was the Aave user’s refund more “urgent” than the users who were hacked on our own official site?

2. Who decided that $600k of token holder value could be given away without a vote?

3. If I am holding COW to participate in governance, why am I only invited to the table when the decision is difficult or expensive?

Conclusion

We shouldn’t be “fast-tracking” refunds for outsiders using DAO revenue while “slow-tracking” our own users who trusted our official domain. If the team can return $600k for an Aave error without a vote, they are effectively spending token holder value without permission. We deserve a consistent process that protects both our users and the treasury.

References:

• DNS Hijack Incident: Link

• AAVE Swap Incident: Link

• CoW Swap Post-Mortem (DNS): Link

Thanks for raising this, @karolac. We think two points may help clarify the situation.

First, the widely-circulated $600k figure does not reflect the actual economic value of the fees collected on that trade.

Based on the settlement data, the settlement contract collected approximately 4.06 AAAVE in total fees, which is roughly $400 at current prices. The larger figure results from valuing that amount at the abnormal implied execution rate at the time of the event (somewhere in the range of $145,000 per AAAVE) as reported by CoW Explorer.

Second, the Core Team did not refund nor proposed to refund that amount. More generally, any decision to use DAO funds for reimbursement requires governance approval through the normal DAO process.

For those reasons, we do not think this should be understood as a governance inconsistency.

Hi folks,

Chiming in governance inconsistancy here, not necessarily regarding the DNS hijack vs AAVE swap but specifically regarding the DNS hijack.

The postmortem in its “User Losses and Refund Considerations” section states:

Any proceeds recovered through legal enforcement actions against the involved parties will be allocated toward reimbursing users who incurred losses as a result of this incident.

Any additional reimbursement measures, beyond funds recovered through legal channels, would be subject to a decision by the CoW DAO governance process.

Contributors to CoW DAO will actively support these two processes, including providing updates on the legal strategy and any developments related to potential claims, as well as engaging in relevant CoW DAO governance discussions.

What it reads is the following (correct me if I’m wrong):

Cow DAO is currently persueing legal recourses (I guess via CoW Hosting Limited?) against the involved parties (i.e Gandi and maybe also Traficom). The proceeds of those legal recourse will be allocated to the victims. Furthermore, any additional reimbursement measures, beyond funds recovered through legal channels, would be subject to a decision by the CoW DAO governance process.

I think it was wrong to proceed this way instead of firstly, starting the CoW DAO governance process to compensate the victims ; and secondly, using the proceeds of the recourse to refill the treasury. I will point out that the Option A suggested by @karolak should be strongly considered for the following reasons:

• This is user-centric, it comes with speed and certainty,
• It brings trust in Cow DAO approach rather than leaving questions hanging like “was it negligence that led to the social engineering // are they disclosing everything”
• It brings tokens back to your users in a period of high market stress that will undoubtedly trade on cowswap later
• Most of all it simplifies the legal standing which could take years, keeping the topic hanging and recurring in the discussion forums
• The longer the wait the most likely users will start to seek legal recourse themselves for which CoW Hosting Limited will be the primary target

Regarding legal recourse, it is worth noting that the victims have no privity of contract with Gandi SAS. Gandi being based in France opens the possibility to press charges in France to seek responsibility of both Gandi and CoW Hosting Limited with much less legal fees than going after CoW Hosting in the BVI.

Lastly, we are waiting for the release of the audit from Mandiant which hopefully won’t point any additonal negligence appart from the absence of RegistryLock on the domain (which is a huge disappointment in itselft). If the audit ends up more compromising, the legal recourses of Cow DAO towards Gandi will most likely vanish while the brand will be even more damaged. This furthermore support the consideration of Option A.