CoW Swap is the first trading interface built on top of CoW Protocol. CoW Swap is a Meta DEX aggregator that allows you to buy and sell tokens using gasless orders that are settled peer-to-peer among users, or into any on-chain liquidity source while providing protection from MEV.

Cow Protocol engaged Ackee Blockchain to perform a security review of the ComposableCoW & ExtensibleFallbackHandler with a total time donation of 8 engineering days in a period between July 18 and July 28, 2023.


We began our review by using static analysis tools, namely Wake. We then took a deep dive into the logic of the contracts. For testing, we have involved Wake testing framework. During the review, we paid special attention to:

  • replay attacks
  • signature validation
  • payload manipulation
  • detecting possible reentrancies
  • ensuring the arithmetic of the system is correct
  • the correctness of encoding/decoding data
  • ERC-1271 compliance
  • looking for common issues such as data validation. 


The audit has been performed on the following scope:

The review was done on the given commits Revision 1.0

  • 27ec79b for ComposableCow
  • 11273c1 for ExtensibleFallbackHandler 

Revision 1.2 was done on the ComposableCow commit bd2634d, the ExtensibleFallbackHandler commit was not changed since Revision 1.1. 


Here we present our findings.

Critical severity 

C1: StopLoss arithmetic mismatches 

High severity 

No high severity issues were found.

Medium severity

M1: Oracle data validation 

Low severity

L1: Constructor data validation 

Warning severity

W1: GPv2Order data tampering

W2: Revert conditions inconsistency

W3: Vulnerable MerkleProof library

W4: GoodAfterTime order is missing the receiver address

Informational severity

I1: Unnecessary SafeMath

I2: Missing cabinet cleanup

I3: Errors in the documentation

I4: TradeAboveThreshold order receiver naming

I5: Inconsistent error

I6: Commented-out code

I7: Inconsistent naming


Our review resulted in 14 findings, ranging from Informational to Critical severity. The critical issue C1: StopLoss arithmetic mismatches has been fixed according to our recommendations, and the decimals handling in the M1: Oracle data validation issue were implemented properly (Revision 1.2).

Other issues are low-severity data validations, warnings and informational findings, which are recommendations rather than issues. The overall code quality and architecture are professional. The whole project is well documented and contains in-code NatSpec documentation and detailed comments.

Ackee Blockchain recommendes CoW Protocol:

  • to add oracle data validations
  • to be aware of zero-address validations
  • to unify syntax and naming
  • to address all reported issues. 

As of Revision 1.2, L1: Constructor data validation issue was acknowledged, all other issues were fixed. 

Ackee Blockchain’s full COW Protocol audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Cow Protocol and look forward to working with them again.