Transaction batching protocol Furucombo suffers $14 million “evil contract” hack

Feb 27, 2021 | CoinTelegraph News | 0 comments

transaction-batching-protocol-furucombo-suffers-$14-million-“evil-contract”-hack

The latest attack relied on user permissions granted to the protocol

The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds. 

Furucombo, a tool designed to help users “batch” transactions and interactions with multiple protocols at once, fell victim to the attack which centered on token approvals from users.

The attacker’s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.

This attack is conceptually similar to the $20 million “evil jar” attack that struck Pickle Finance last year, as well as the $37 million “evil spell” exploit that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.

In this case, the attacker ‘tricked’ the Furucombo protocol into thinking that their contract was a new verison of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, the attacker instead leveraged the ability to transfer the funds of every user who had given the protocol token permissions. 

“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy Emiliano Bonassi in a statement to Cointelegraph.

This type of exploit appears to be growing increasingly popular, now accounting for over $70 million in user funds lost in just a few months.

The team confirmed the attack in a Tweet, saying that they “believed” they’d mitigated the exploit but recommended revoking permissions “out of an abundance of caution:”

Users can leverage tools like revoke.cash to do so. 

The attack comes during a period of wider reflection in the DeFi world on security and the utility of auditing companies. In the last three months, three different auditing and code review services have emerged, each with a different incentive model designed to encourage more thorough and dynamic security practices.

News Source from CoinTelegraph.com

Related Articles

South African Crypto Platform Revix Raises $4.1 Million

South African Crypto Platform Revix Raises $4.1 Million

The South African cryptocurrency investment platform, Revix, has reportedly raised about $4.1 million from its latest capital raise round. According to the firm, part of the raised capital will be used “to launch Revix’s mobile application, a variety of Fourth...

PayPal’s Venmo now allows users to buy and sell crypto

PayPal’s Venmo now allows users to buy and sell crypto

PayPal's social payment arm Venmo has officially launched the service to let its users buy, hold and sell crypto assets within its mobile app. The company said in an announcement that the service, called "Crypto on Venmo," starts to roll out on Tuesday and will be...

Former currency comptroller to become CEO of Binance US crypto exchange

Former currency comptroller to become CEO of Binance US crypto exchange

Former top U.S. banking regulator Brian Brooks is joining the U.S. affiliate of the world’s largest cryptocurrency exchange as its new CEO. Brian Brooks, the former acting comptroller of the currency of the United States Office of the Comptroller of the Currency, is...

Pin It on Pinterest

Share This