CIP-86: Discretionary grants program for victims of the cow.fi domain hijacking

SIMPLE SUMMARY

This CIP proposes the creation of a discretionary grants program to provide support to victims of the cow.fi domain hijacking of April 14, 2026. It also specifies criteria for submitting and verifying claims, as well as a timeline for opening and closing the discretionary grants program.

MOTIVATION

As documented in the CoW.fi Domain Hijack Post-Mortem, the domain registrar (Gandi SAS) used by CoW Swap’s DNS holder (AWS Route 53) was exploited on April 14, 2026, in a social engineering attack that gave hackers control of the cow.fi domain for approximately 4.5 hours. During this time, hackers were able to serve a “phishing” website that tricked cow.fi visitors into signing malicious transactions that drained tokens from their wallets. The core team estimates that approximately 1.2M USDC worth of user funds were taken from users as a result of this incident.

Despite the fact that CoW Swap was not hacked and was in no way responsible for the security failures that led to the success of the attack on its domain registrar, we take our relationship with our users seriously, and we recognize that these relationships are built on trust. Therefore, we believe it is right and proper to do what we can to assist CoW Swap users that lost funds during the aforementioned incident.

SPECIFICATION

To help users recover their funds, the core team is asking for a mandate from the DAO to pursue, where necessary, any legal actions linked to this specific incident.

Additionally, the core team proposes the establishment of a discretionary grants program designed to provide voluntary financial assistance to users impacted by the recent incident.

To be eligible for a relief grant, users will need to submit claims via help@cow.fi by May 14, 2026 and have their claims verified by the core team. Verification is not straightforward, given the fact that the malicious drainer contract was live on multiple websites at the same time. Because of this, claims must meet the following criteria for verification:

• Traded on CoW Swap at least once before the incident took place; or

• Been directly funded by one or more wallets that traded on CoW Swap before the incident took place. In this case, the funding path must be clear, direct, and verifiable on-chain. (Wallets funded through mixers, privacy-obfuscation tools, sanctioned addresses, or other sources that create legal, sanctions, AML, or verification concerns are not eligible.)

• The wallet owner must have signed a malicious message or transaction with the specific drainer contract active on the “phishing” site that impersonated CoW Swap during the incident.

• Claims are not eligible where the relevant loss resulted from the claimant entering, disclosing, or otherwise exposing a seed phrase or private key.

• The wallet owner must identify themselves by following a KYC process. This is needed to ensure that the CoW Foundation entity processing the discretionary grant distributions is complying with local laws. Information collected as part of this process will be destroyed within 30 days of grants being paid.

To submit a claim, affected users must send an email to help@cow.fi by May 14, 2026 with the subject line “Discretionary Grant Claim for CoW.Fi Domain Hijack Incident” and text in the email body that includes the impacted wallet address, the specific assets drained, and the name of the wallet owner. As soon as a claim is matched with onchain data, help@cow.fi will reply with KYC instructions for final verification.

Once a claim is verified, the CoW DAO treasury team will transfer the USDC value of the amount a verified user lost at the time of the incident to the user’s wallet.

Any payment made under the program is voluntary, ex gratia in nature, and does not constitute an admission of liability, fault, or legal obligation on the part of CoW DAO, its tokenholders, contributors, adjacent legal entities, or service providers.

As a condition of receiving this payment, the recipient agrees that, to the fullest extent permitted by applicable law, the payment fully and finally settles any claim the recipient may have against CoW DAO, its tokenholders, contributors, adjacent legal entities, and service providers arising out of the specific incident described in this program. This does not affect any rights that cannot lawfully be waived.

This discretionary grant program will be funded via a one-time, exceptional mandate of the Legal Defense Reserve. This specific allocation is restricted to providing discretionary payments of up to 100% of the assets lost by CoW Swap users that were impacted by the signing of malicious messages or transactions during this specific incident and fulfilling the eligibility criteria listed above. Aside from this singular event, the standing mandate and restrictive use cases of the Legal Defense Reserve remain unchanged, as originally defined in CIP-50. This disbursement is an isolated, ex gratia gesture and does not establish a precedent for future use of the Legal Defense Reserve for purposes outside its primary defensive scope.

TIMELINE

• The anticipated timeline for the discretionary grants program is as follows:

• April 23 - CIP Draft posted to the forum

• April 30 - CIP voting period begins on Snapshot

• May 7 - CIP accepted or rejected via Snapshot

• May 14 - All claims due to help@cow.fi; claim verification begins

• May 21 - Claim verification complete; CoW DAO treasury starts issuing relief grants

• May 31 - All discretionary grants paid; discretionary grants program is concluded

After all discretionary grants are paid, the treasury team will resume “topping up” the amount depleted from the Legal Defense Reserve until the total amount in that wallet reaches a value of 5M USDC, per its current mandate.

The timeline for the legal process is hard to predict. However, it is expected that the core team will keep the community appraised of key developments in the process.

EXECUTION

N/A