Furucombo, a dApp that simplifies trading and Maker/DeFi by making it simple to build multi-step transactions, was compromised. Hackers managed to drain $14 million from their users’ accounts at press time.
As a decentralized technology that focuses on enabling multiple-step transfers for trading, Furucombo allows users to leverage decentralized financial assets without learning how to code.
Another DeFi Hack
Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.
— FURUCOMBO (@furucombo) February 27, 2021
A hacker has successfully stolen $14 million in funds from the users’ accounts as of the time of publishing.
Furucombo’s proxy smart contract was breached, which gave the hackers the right to send ETH and ERC20 tokens to their emails.
The hacker made a few transactions to hide their tracks by sending funds to the mixer Tornado Cash.
The hacker’s address has approximately 4,560 ETH ($6.8 million) and 5.5 million DAI ($7 million) deposited in Ethereum tokens, which together have a market valuation of $6.8 million.
So what happened to Furuсombo👇
An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL
— Igor Igamberdiev (@FrankResearcher) February 27, 2021
The funds sent to Tornado Cash for laundering are not included in these holdings.
In comparison to the $20 million “evil jar” assault on Pickle Finance that took place last year, and the $37 million “evil spell” hack that attacked Alpha Finance two weeks ago, this attack bears technical similarity to all of these assaults.
A specific flaw was discovered in the aforementioned “evil contract” exploits, in which an intruder constructs a contract that tricks a protocol into thinking it belongs there, enabling them to extract funds from the protocol.
This intruder fooled the Furucombo protocol into believing that the contract they agreed was a brand new variant of Aave.
Rather than letting money leak out of the protocol, the intruder used the opportunity to move any user that had granted permissions to the protocol to support the attack.
The assault arrives at a moment when the larger DeFi group is contemplating protection and the effectiveness of auditing firms.
The following subsections provide an outline of emerging developments in auditing and code review activities.
What is Furucombo?
DeFi optimization can be rendered easy for end users by simply dragging and falling tools developed by Furucombo. Through constructing blocks, it visualizes complicated DeFi protocols.
To make it simple for customers, they merely have to insert values for their inputs/outputs and configure their orders of the blocks, at which stage FuruCombo can bundle all of the cubes together and ship them out.
Furucombo has evolved exponentially over the past nine months and has since become a DeFi gateway.
Through a combination of these variables, COMBO Token holders would be incentivized to share fees earned on Furucombo, engage in the management of the website, and enjoy premium functionality.
The estimated COMBO token stock would be allocated to the population in the form of about half of the total supply.
The first Furucombo V1 and Compound help was introduced to the network in April of this year, nine months after the network’s formal launch in March 2020.
Do you use COMBO?