Transaction batching protocol Furucombo suffers $14 million “evil contract” hack

Published at: Feb. 27, 2021

The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds.  

Furucombo, a tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users.

The attacker’s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.

This attack is conceptually similar to the $20 million “evil jar” attack that struck Pickle Finance last year, as well as the $37 million “evil spell” exploit that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.

So what happened to FurucomboAn attacker using a fake contract made Furucombo think that Aave v2 has a new implementation.Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL

— Igor Igamberdiev (@FrankResearcher) February 27, 2021

In this case, the attacker ‘tricked’ the Furucombo protocol into thinking that their contract was a new verison of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, the attacker instead leveraged the ability to transfer the funds of every user who had given the protocol token permissions. 

“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy Emiliano Bonassi in a statement to Cointelegraph.

This type of exploit appears to be growing increasingly popular, now accounting for over $70 million in user funds lost in just a few months.

The team confirmed the attack in a Tweet, saying that they “believed” they’d mitigated the exploit but recommended revoking permissions “out of an abundance of caution:”

Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.

— FURUCOMBO (@furucombo) February 27, 2021

Users can leverage tools like revoke.cash to do so. 

The attack comes during a period of wider reflection in the DeFi world on security and the utility of auditing companies. In the last three months, three different auditing and code review services have emerged, each with a different incentive model designed to encourage more thorough and dynamic security practices. 

Tags
Related Posts
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Poly Network hacker returns less than 1% of the $600M theft
These transfers have occurred across the three wallets associated with the Poly Network hacker across the Ethereum, Binance Smart Chain (BSC) and Polygon networks. Poly Network confirmed receipt of the returned funds via a tweet issued on Tuesday. Details from Etherscan show that $2 million worth of Shiba Inu (SHIB) and $616,000 in Fei USD (FEI) tokens are being returned. So far, we have received a total value of $4,772,297.675 assets returned by the hacker. ETH address: $2,654,946.051 BSC address: $1,107,870.815 Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS — Poly Network (@PolyNetwork2) August 11, 2021 Data from BscScan also shows the hacker returning …
Ethereum / Aug. 11, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
DeFi was the most attacked ecosystem in 2022: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The DeFi ecosystem started 2023 on a bullish note, similar to the broader cryptocurrency market. However, the bullish start to the year didn’t diminish the damage caused by vulnerabilities and attacks in 2022. A new research report has highlighted that DeFi was the most vulnerable crypto ecosystem, at the receiving end of 113 exploits out of the total 167. On top of that, blockchain security experts have warned the trend could continue in 2023. …
Ethereum / Jan. 13, 2023