CoW DAO approves compensation for cow.fi hijack victims, claims due May 14

CoW DAO approved CIP‑86 to offer discretionary grants of up to 100% to victims of April’s cow.fi domain hijack, with detailed claims due by May 14 and payouts targeted by May 31.

CoW DAO has formally approved a user compensation plan for victims of April’s cow.fi domain hijacking and is now asking affected users to file claims by May 14. The decision follows a community vote on governance proposal CIP‑86, which establishes a discretionary grants program to reimburse losses of up to 100% for users who were phished while the project’s domain registrar was under attacker control.

Social engineering at the registrar layer

According to the CIP‑86 proposal and the DAO’s post‑mortem, the incident occurred on April 14, 2026, when CoW Swap’s .fi domain registrar, Gandi SAS, was compromised in a social engineering attack. Attackers exploited the registrar’s controls over DNS records used by CoW Swap’s AWS Route 53 servers, briefly taking over the cow.fi domain for approximately 4.5 hours and redirecting users to a phishing website that mimicked the real interface.

During that window, users who visited the hijacked domain were served a fake trading UI and tricked into signing malicious transactions, which drained tokens from their wallets. CoW DAO has repeatedly stressed that CoW Protocol’s smart contracts and backend infrastructure were never breached, and that the vulnerability was “entirely at the domain registrar layer rather than in protocol code.” A KuCoin incident report estimated user losses at roughly $1.2 million in USDC and other assets, a figure echoed by multiple follow‑up analyses.

CIP‑86: discretionary grants and strict criteria

To address those losses, CoW DAO’s community approved CIP‑86, which sets up a one‑time discretionary grants program funded from the DAO’s Legal Defense Reserve. Under the plan, eligible victims can receive up to 100% compensation for verified losses, but the DAO emphasizes that payments are voluntary “goodwill” grants and do not constitute an admission of legal liability. The proposal also gives the core team a mandate to pursue legal action against third parties where necessary, including entities involved in the registrar supply‑chain attack.

CIP‑86 lays out strict criteria for relief grants. Claimants must have interacted with the malicious contract during the hijack window, demonstrate a history of using CoW Swap prior to the attack, and provide sufficient on‑chain evidence to link their losses to the phishing incident rather than unrelated scams. A Binance‑hosted summary notes that claims will be processed as “discretionary grants” rather than automatic reimbursements, with the verification process comparing submitted data to on‑chain records before any payout is authorized.

Claim process and May 14 deadline

CoW DAO and its ecosystem channels are now urging affected users to file claims before the May 14 cutoff. To qualify, users must send an email to [email protected] with the subject line “Discretionary Grant Claim for CoW.Fi Domain Hijack Incident,” including the affected wallet address, a list of assets and amounts drained, relevant transaction hashes, and the claimant’s name. Once support staff match the request with on‑chain data, users will receive a follow‑up email outlining any additional steps, which may include KYC checks before funds are released.

The CIP‑86 timeline anticipates that all valid claims will be submitted by May 14, reviewed over the following weeks, and reimbursed by May 31, subject to DAO treasury and verification outcomes. For CoW DAO, the episode has become a case study in how DeFi protocols can respond to off‑chain supply‑chain attacks: by treating domain‑level security as critical infrastructure, separating protocol integrity from web‑layer exploits, and using governance to authorize voluntary, time‑boxed compensation without rewriting history on-chain.