$15 000 000 USD

FEBRUARY 2021

GLOBAL

FURUCOMBO

DESCRIPTION OF EVENTS

"Furucombo, a drag and drop tool for users to create DeFi transactions," "suffered a contract exploit on Feb. 27." "Furucombo adopts a permissionless “drag-and-drop DeFi” feature allowing users to build a custom strategy for earning from different DeFi projects. Moreover, it aggregates various liquidity pools and DeFi functionalities." The "tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC."

 

"The attacker us[ed] a fake contract to trick the protocol into thinking that their contract was a new version of Aave. In an official post-mortem on March 1, Furucombo said that the breach affected 22 users, resulting in a loss worth $15 million in 21 different assets. The stolen assets included major DeFi coins like Bao Finance (BAO), COMBO, Curve DAO (CRV), as well as popular stablecoins like Tether (USDT) and USD Coin (USDC), Furucombo told Cointelegraph." "The hacker [sent] funds to the mixer Tornado Cash to cover their tracks and withdraw funds."

 

"In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds." "In this case, the attacker ‘tricked’ the Furucombo protocol into thinking that their contract was a new ver[si]on of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, the attacker instead leveraged the ability to transfer the funds of every user who had given the protocol token permissions." "After successfully tricking Furucombo into believing it was a new version of Aave, the evil contract was able to take advantage of poorly configured permissions in Furucombo user accounts. These users gave ERC20 token permissions to the Furucombo protocol, allowing it to perform transactions using those tokens without further approvals." "“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy Emiliano Bonassi in a statement to Cointelegraph." "Unlike many DeFi hacks, where the protocol itself suffers the losses, this vulnerability enabled direct exploitation of user accounts to the tune of at least $14 million in cryptocurrency."

 

"Furucombo has reported the issue to law enforcement and has started cooperating with smart contract analytics service Certora to receive a full audit for the incident." "Following an internal call with affected users, Furucombo released a compensation plan, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool." "Furucombo’s hack is another reminder for DeFi users to seriously consider contract security and not use money in new protocols that they can’t afford to lose."

Only the most intelligent contract in the world would think it's a good idea to send the funds of every participant to a hacker in response to their request.

HOW COULD THIS HAVE BEEN PREVENTED?

Storing funds in a multi-signature wallet where the keys are held by different trained individuals would prevent a similar incident. It is doubtful that any trained person would believe a request was from Aave 2 without questioning, and even more doubtful if the request asked them to send all client funds of multiple clients to a particular address.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.