Furucombo is a tool designed to help users “bundle” transactions and interactions with multiple Decentralized Finance (DeFi) protocols.
The protocol was attacked on Saturday at 5:45 p.m. and lost the equivalent of $14 million in Ether (ETH) and ERC-20 tokens.
How is it possible? The attacker used a fake contract to make the application believe it was an update of Aave v2.
From there, instead of draining funds from the protocol as in previous exploits, the attacker took advantage of the possibility of transferring funds from each user who had given withdrawal authorizations to the protocol. The attacker then sent part of the funds to the Tornado Cash mixer to prevent the transactions from being tracked.
Currently, the hacker’s address contains more than 4,560 ETH, worth approximately $6.8 million, and more than $7 million in ERC20 tokens, including more than $5.5 million in stablecoin DAI. These assets do not include funds that were sent to Tornado Cash for laundering.
Furucombo’s team confirmed the attack in a Tweet, saying it “believed” it had mitigated the flaw, but recommended that users revoke permissions “as a precautionary measure.
Emiliano Bonassi, co-founder of DeFi Italy, said :
“Infinite permissions mean that you can liquidate anyone who has interacted with Furucombo. »
Therefore, all persons who have interacted with the Furucombo application must revoke authorization to withdraw funds from their portfolios using tools such as Revoke.cash or Approved.zone. The Furucombo contract addresses to be checked are :
In 2020, we have witnessed several malicious attacks on the DeFi protocol. Among the victims were Harvest Finance, Value DeFi, Akropolis, Cheese Bank and Pickle Finance.
The Furucombo attack is yet another reminder for application users to seriously consider contract security and take precautions when significant funds are involved. Infinite permissions might save users some money in gas fees but the risks involved are too great for most users.