According to the recent report, an attacker seems to have used CoWSwap's GPv2Settlement contract. Read for more info.