Hacker siphons $14 million from Furucombo protocol

A flaw in the Furucombo protocol

Furucombo is a tool designed to help users “group” transactions and interactions with multiple decentralized finance (DeFi) protocols.

The protocol was attacked at around 5.45pm on Saturday and lost the equivalent of $14 million in Ether (ETH) and tokens ERC-20 . We can see an initial estimate of the loot below:

How is that possible? The attacker used a fake contract to make the app believe it was an update to Aave v2.

From there, instead of draining funds from the protocol as in previous exploits, the attacker took advantage of the ability to transfer funds from each user who had given withdrawal permissions to the protocol.

Get 5% discount on Binance fees!

The attacker then sent some of the funds to the Tornado Cash mixer to prevent the tracking of transactions.

Currently, the hacker’s address contains more than 4,560 ETH, worth approximately $6.8 million, and more than $7 million in ERC20 tokens, including more than $5.5 million in stable DAI. These assets do not include funds that were sent to Tornado Cash for laundering.

Caution with Furucombo

Furucombo’s team confirmed the attack in a Tweet, saying they “believed” they had mitigated the flaw, but recommended that its users revoke the authorizations “out of an abundance of caution.”

Emiliano Bonassi, co-founder of DeFi Italy, said:

“Infinite permissions mean you can liquidate anyone who has interacted with Furucombo.”

For example, anyone who has interacted with the Furucombo app must revoke permission to withdraw funds from their wallets using tools such as Revoke.cash or Approved.zone. The addresses of Furucombo contracts to check are:

  • 0x57805e5a227937BAc2B0FdaCaA30413ddac6B8E1
  • 0x17e8ca1b4798b97602895f63206afcd1fc90ca5f

In 2020, we have witnessed several malicious deFi protocol attacks. Victims include Harvest Finance, Value DeFi, Akropolis, Cheese Bank and Pickle Finance.

The Furucombo attack is yet another reminder for app users to seriously consider contract security and take precautions when the funds committed are significant.


What you need to know about affiliate links.
 This page may present investment-related assets, products or services. Some of the links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus using our links.
Investments in cryptocurrencies are risky!
Btctools is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused by the use of a good or service highlighted in this article. Investments related to crypto-assets are risky by nature, readers must do their own research before taking any action and invest only within their financial possibilities. This article does not constitute investment advice.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.