Latest Ethereum DeFi exploit sees $14 million stolen from ‘Furucombo’
DeFi exploits and attacks have become increasingly commonplace as the space evolves and attracts both money and participants.
DeFi exploits and attacks have become increasingly commonplace as the space evolves and attracts both money and participants. The latest of these attacks took place earlier today and saw over $14 million worth of stolen crypto.
Furucombo, an Ethereum-based transaction “batching” protocol, said this morning that the platform had been exploited and asked all users to cease all approvals as caution.
The tool is built for end-users to optimize their DeFi strategy by using a simple ‘drag and drop’ mechanism. The tool allows users who don’t know how to code but understand DeFi markets to create and run their own strategies.
The protocol saw an exploit this morning. “We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution,” Furucombo said in a tweet.
We are working on the next steps and will update our community as soon as we can
Please remove your token approvals on https://t.co/jcZmbiUQOR towards our contract at the earliest.
Our smart contract:0x17e8Ca1b4798B97602895f63206afCd1Fc90Ca5f
— FURUCOMBO (@furucombo) February 27, 2021
As per The Block researcher Igor Igamberdiev, the attacker was able to conduct the exploit by tricking Furucombo’s smart contracts to trust and process a fake dataset belong to a decentralized lending service Aave—a protocol that allows users to take out loans via collateral (or flash loans with no collateral).
“An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation, said Igamberdiev in a tweet. He added that this reason caused all interactions with “Aave v2” to be “approved” and sent to an address controlled by the hacker.
On-chain data further shows that the attacker transferred the funds of every user who had ‘approved’ Furucombo to conduct transactions on their behalf, resulting in over $14 million getting stolen.
Over 3,900 stETH (a staked Ethereum token) and $2.4 million in stablecoin USDC were the biggest bags hit. The attacker/s have been transferring their illicitly-gained stash to privacy mixer Tornado Cash, a tool that masks addresses and allows users to swap cryptocurrencies on-chain.
Hsuan-Ting, the CEO of crypto exchange Dinngo, the firm that builds and maintains Furucombo, said the firm takes responsibility for getting attack and asked users to not “worry about any of their losses.
We are calculating how much is lost and planning what is the mitigation plan,” Hsuan-Ting said, adding:
“Will keep everyone posted. Together we are stronger.”
Meanwhile, Curve Finance’s Julien Bouteloup said on Twitter that such “evil contract” exploits were seemingly the new “holy grail.”
“evil contract” exploit is the new DeFi Holy Grail?
= a contract that fools the protocol into believing it is an existing "safe" contract
Furucombo got fooled with this new contract thinking it was aave v2 stuff. And top users with infinite allowance got rekt…
>$13.5M lost pic.twitter.com/s03egtRO7w
— Julien Bouteloup (@bneiluj) February 27, 2021
He was likely referring to previous attacks on Alpha Finance and Pickle Finance that saw a similar “evil contract” drain millions of dollars in cryptocurrencies by tricking the protocols into approving and accepting fake contracts. The projects mitigated further damage at the time and continue to live on.