Latest News

DeFi Transaction Bundler Furucombo Suffers $14 Million Exploit

DeFi Transaction Bundler Furucombo Suffers $14 Million Exploit

Furucombo, a tool developed to help users batch transactions and cooperation’s with various decentralized finance (DeFi) protocols at once, fell prey to the attack, which focused on token approvals from users. At press time, a hacker managed to drain over $14 million of users’ funds. The hacker attacked Furucombo’s proxy smart contract, which allowed them to withdraw ETH and ERC20 tokens. The hacker then commenced transferring funds to the mixer Tornado Cash to conceal their tracks and withdraw funds.

Recently, the hacker’s address possesses around 4,560 ETH worth approximately $6.8 million and more than $7 million in ERC20 tokens. It also includes more than 5.5. million in DAI. However, it does not involve funds transferred to Tornado Cash for laundering. Moreover, an unlucky user from Furucombo mentioned on the exchange’s update saying that he lost $ 197,000 in USDT with the hack. He asked how the company intends to make up for it. In response, a Furucombo marketing team member commented on the mitigation plan stating that it will share with the community in due course.

Furucombo’s Attack is Conceptually Similar to Evil Jar Attack and Evil Spell Attack

According to analysts, Furucombo’s attack is conceptually similar to the $20 million evil jar attack that struck Pickle Finance last year and the $37 million evil spell attack that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker generates a contract that victims a protocol considering it fits there, providing them access to protocol funds. In this case, the attacker ‘fooled’ the Furucombo protocol into believing that their contract was a new Aave version. Further, instead of draining funds from the protocol as in former evil contract exploits, the attacker rather leveraged the capability of transferring the funds of every user who had presented the protocol token permissions. 

Moreover, anyone who interacted with Furucombo proxy should withdraw their approvals to withdraw funds from their wallet employing Revoke. However, three auditing and code review services have appeared in the last three months, each with a distinct incentive model to encourage more accurate and dynamic security practices. Furucombo’s hack is another reminder that DeFi users sincerely consider contract security and not handle money in new protocols that they can’t afford to lose.

Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions. Crypto is not a legal tender and is subject to market risks. Readers are advised to seek expert advice and read offer document(s) along with related important literature on the subject carefully before making any kind of investment whatsoever. Crypto market predictions are speculative and any investment made shall be at the sole cost and risk of the readers.