CoW DAO has voted to compensate users who lost funds during the April 14 cow.fi domain hijack, with the reimbursement coming straight from its Legal Defense Reserve. The governance proposal, CIP-86, passed through a Snapshot vote on May 7 and set a hard deadline of May 14 for all claims.

The attack itself never touched CoW Protocol’s smart contracts. What hackers got instead was the cow.fi domain through a social engineering strike on domain registrar Gandi SAS, the company managing DNS for AWS Route 53 at the time. For roughly 4.5 hours, anyone visiting the site hit a fake frontend built to drain wallets.

What Happened on April 14

According to CoW Swap on X, hackers used social engineering to gain control of the cow.fi domain, during which a phishing site tricked users into approving malicious transactions.

“On April 14, a social engineering attack on our domain registrar gave hackers control of our domain for approximately 4.5 hours. During that window, a phishing site tricked users into approving malicious transactions.”

The core team estimates those 4.5 hours cost users around 1.2 million USDC. CoW Protocol’s infrastructure, including its backend systems and settlement layer, stayed intact throughout. The attack never broke the protocol. It broke the path between users and it.

That distinction matters because CoW DAO had no legal obligation to pay anything back. The Legal Defense Reserve, established under CIP-50, was not designed for user compensation. Its original mandate was defensive legal coverage. This disbursement is the first time the fund is being redirected toward ex gratia payments.

The CIP-86 Claim Process

CoW Swap confirmed on X that despite the security failure originating outside the protocol, the DAO is doing what it believes is right by making affected users whole.

“Even though the security failure wasn’t ours, we’re doing what we believe is right: we’re making affected users whole.”

The grants program, posted to the governance forum by moo_keeper on April 23, lays out three conditions a victim must satisfy. The affected wallet must have traded on CoW Swap at least once before the incident. The wallet owner must have signed the specific malicious transaction linked to the phishing site active that day. Users who entered a seed phrase are excluded, as that action does not mirror CoW Swap’s interface behavior.

Then there is the KYC layer. To receive payment, verified users must complete an identity check. The CoW Foundation needs it to comply with local laws before processing any grant transfers. That data gets destroyed within 30 days of grants being paid.

To file a claim, users must email [email protected] before May 14, 2026 with subject line “Discretionary Grant Claim for CoW.Fi Domain Hijack Incident.” The email body needs to include the impacted wallet address, specific assets drained, and the wallet owner’s name. Once onchain data confirms the claim, KYC instructions follow.

Deadline Is Firm

CoW Swap posted on X urging anyone who may have been affected to share the information widely, noting the window is short and they do not want anyone to miss out.

“Please share this with anyone who may have been affected. The window is short, and we don’t want anyone to miss out.”

Per the CIP-86 timeline, claim verification runs from May 14 to May 21. The treasury team starts issuing relief grants on May 21. All payments close by May 31.

The DAO was explicit in one area. Payments made under the program are voluntary. They do not constitute an admission of fault or legal liability by CoW DAO, its contributors, or any adjacent entity. A verified recipient, by accepting the grant, agrees the payment settles any claim they may hold against the DAO arising from this specific incident.

CoW Swap stated on X that CIP-86 passed through community governance, with the DAO approving the discretionary grants program to reimburse users who lost funds.

“CIP-86 — our community governance proposal — passed. CoW DAO has approved a discretionary grants program to reimburse users who lost funds during the incident.”

After all grants are paid, the treasury team will resume replenishing the Legal Defense Reserve until it returns to 5M USDC, as originally defined under its mandate.