Welcome Bonus: Sign Up & Get Up to $150 in BTC

Get Started
Latest Ethereum DeFi exploit sees $14 million stolen from ‘Furucombo’ Latest Ethereum DeFi exploit sees $14 million stolen from ‘Furucombo’

Latest Ethereum DeFi exploit sees $14 million stolen from ‘Furucombo’

DeFi exploits and attacks have become increasingly commonplace as the space evolves and attracts both money and participants.

Latest Ethereum DeFi exploit sees $14 million stolen from ‘Furucombo’

Cover art/illustration via CryptoSlate

DeFi exploits and attacks have become increasingly commonplace as the space evolves and attracts both money and participants. The latest of these attacks took place earlier today and saw over $14 million worth of stolen crypto.

Furucombo attacked

Furucombo, an Ethereum-based transaction โ€œbatchingโ€ protocol, said this morning that the platform had been exploited and asked all users to cease all approvals as caution.

The tool is built for end-users to optimize their DeFi strategy by using a simple โ€˜drag and dropโ€™ mechanism. The tool allows users who donโ€™t know how to code but understand DeFi markets to create and run their own strategies.

The protocol saw an exploit this morning. โ€œWe have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution,โ€ Furucombo said in a tweet.

As per The Block researcher Igor Igamberdiev, the attacker was able to conduct the exploit by tricking Furucomboโ€™s smart contracts to trust and process a fake dataset belong to a decentralized lending service Aaveโ€”a protocol that allows users to take out loans via collateral (or flash loans with no collateral).

ย โ€œAn attacker using a fake contract made Furuัombo think that Aave v2 has a new implementation, said Igamberdiev in a tweet. He added that this reason caused all interactions with โ€œAave v2โ€ to be โ€œapprovedโ€ and sent to an address controlled by the hacker.

On-chain data further shows that the attacker transferred the funds of every user who had โ€˜approvedโ€™ Furucombo to conduct transactions on their behalf, resulting in over $14 million getting stolen.ย 

Over 3,900 stETH (a staked Ethereum token) and $2.4 million in stablecoin USDC were the biggest bags hit. The attacker/s have been transferring their illicitly-gained stash to privacy mixer Tornado Cash, a tool that masks addresses and allows users to swap cryptocurrencies on-chain.

Taking responsibility

Hsuan-Ting, the CEO of crypto exchange Dinngo, the firm that builds and maintains Furucombo, said the firm takes responsibility for getting attack and asked users to not โ€œworry about any of their losses.ย 

We are calculating how much is lost and planning what is the mitigation plan,โ€ Hsuan-Ting said, adding:

โ€œWill keep everyone posted. Together we are stronger.โ€

Meanwhile, Curve Financeโ€™s Julien Bouteloup said on Twitter that such โ€œevil contractโ€ exploits were seemingly the new โ€œholy grail.โ€ย 

He was likely referring to previous attacks on Alpha Finance and Pickle Finance that saw a similar โ€œevil contractโ€ drain millions of dollars in cryptocurrencies by tricking the protocols into approving and accepting fake contracts. The projects mitigated further damage at the time and continue to live on.

Posted In: , DeFi, Hacks