Transaction batching protocol Furucombo suffers $14 million “evil contract” hack

The latest attack relied on user permissions granted to the protocol

The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds. 

Furucombo, a tool designed to help users “batch” transactions and interactions with multiple protocols at once, fell victim to the attack which centered on token approvals from users.

The attacker’s address currently has $14 million is various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.

This attack is conceptually similar to the $20 million “evil jar” attack that struck Pickle Finance last year, as well as the $37 million “evil spell” exploit that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.

So what happened to Furuсombo

An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL

— Igor Igamberdiev (@FrankResearcher) February 27, 2021

In this case, the attacker ‘tricked’ the Furucombo protocol into thinking that their contract was a new verison of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, they instead leveraged the ability to take the funds of every user who had given the protocol token permissions. 

“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy in a statement to Cointelegraph.

This exploit type appears to be growing increasingly popular, now accounting for over $70 million in user funds lost in just a few months.

The team confirmed the attack in a Tweet, saying that they “believed” they’d mitigated the exploit but recommended revoking permissions “out of an abundance of caution:”

Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.

— FURUCOMBO (@furucombo) February 27, 2021

Users can leverage tools like revoke.cash to do so. 

The attack comes during a period of wider reflection in the DeFi world on security and the utility of auditing companies. In the last three months, three different auditing and code review services have emerged, each with a different incentive model designed to encourage more thorough and dynamic security practices.

iBTC 並非有關信息的提供者,不會為客戶或任何第三者對於該信息的(包括但不限於)正確性、品質、準確性、安全性、完整性、可靠性、性能、及時性、報價或持續可用性負責。本頁任何內容都不是投資建議

下載iBTC 手機APP
感受最佳交易體驗