CoW DAO has approved a proposal to reimburse users affected by the April 2026 cow.fi domain hijacking, despite the protocol itself never suffering a smart contract breach.
The governance proposal authorizes a discretionary grants program for users who lost funds during the phishing attack, which stemmed from a registrar-level domain takeover rather than a compromise of CoW Protocol infrastructure.
According to the project’s postmortem, users lost an estimated $1.2 million during the incident after attackers redirected the cow.fi domain to a phishing website that tricked visitors into signing malicious wallet transactions.
The proposal allows eligible victims to receive up to 100% reimbursement for verified losses using funds from CoW DAO’s Legal Defense Reserve.
Proposal draws line between phishing and user negligence
The approved measure includes strict eligibility requirements for compensation.
Users must prove that:
- their wallet interacted with the malicious drainer contract tied to the fake CoW interface,
- the wallet had used CoW Swap before the attack,
- and the claimant completes a KYC verification process.
The DAO will not compensate users who entered their wallet seed phrases into fake prompts during the attack.
That distinction reflects a broader governance position within the proposal. CoW DAO treats malicious transaction approvals tied to the impersonated interface differently from direct disclosure of recovery phrases.
Claims must be submitted by 14 May through CoW’s support channels before the verification process begins.
No admission of liability
Although the DAO approved reimbursements, the proposal repeatedly states that the payments remain voluntary and do not represent an admission of liability or legal fault.
The document describes the grants as “ex gratia” payments, meaning CoW DAO provides them as a goodwill gesture rather than a legal obligation.
That language may prove important because the incident did not involve a failure of CoW Protocol’s smart contracts, backend infrastructure, or settlement systems.
Instead, attackers exploited weaknesses in the .fi domain registrar transfer process through a social engineering campaign targeting Finland’s domain registry infrastructure.
The phishing site remained active for several hours before the team recovered control of the domain.
Treasury funds to cover reimbursements
The reimbursements will come from CoW DAO’s Legal Defense Reserve, a treasury allocation originally designed for legal and defensive actions.
The proposal describes the payout as a one-time exception and explicitly states that it should not create a precedent for future incidents.
After compensation payments conclude, the DAO treasury plans to replenish the reserve until it returns to its previous $5 million level.
Why the decision matters
The vote highlights a growing debate across DeFi about protocol responsibility during Web2 infrastructure attacks.
In this case, CoW Protocol’s contracts continued operating normally, yet users still lost funds because attackers hijacked the project’s domain and deployed a convincing phishing interface.
By approving compensation anyway, CoW DAO signals that protecting long-term user trust may outweigh strict technical definitions of protocol liability.
Final Summary
- CoW DAO approved voluntary reimbursements for victims of the April cow.fi phishing attack, which caused about $1.2M in losses.
- The DAO says the payments do not represent an admission of liability because the protocol itself was never breached.