{"id":23,"date":"2021-02-27T21:56:46","date_gmt":"2021-02-27T21:56:46","guid":{"rendered":"https:\/\/cryptoheretostay.com\/2021\/02\/27\/transaction-batching-protocol-furucombo-suffers-14-million-evil-contract-hack\/"},"modified":"2021-02-27T21:56:47","modified_gmt":"2021-02-27T21:56:47","slug":"transaction-batching-protocol-furucombo-suffers-14-million-evil-contract-hack","status":"publish","type":"post","link":"https:\/\/cryptoheretostay.com\/?p=23","title":{"rendered":"Transaction batching protocol Furucombo suffers $14 million \u201cevil contract\u201d hack"},"content":{"rendered":"<script type=\"text\/javascript\">\r\namzn_assoc_placement = \"adunit0\";\r\namzn_assoc_tracking_id = \"totafreearti-20\";\r\namzn_assoc_ad_mode = \"search\";\r\namzn_assoc_ad_type = \"smart\";\r\namzn_assoc_marketplace = \"amazon\";\r\namzn_assoc_region = \"US\";\r\namzn_assoc_default_search_phrase = \"crypto\";\r\namzn_assoc_default_category = \"All\";\r\namzn_assoc_search_bar = \"false\";\r\namzn_assoc_title = \"\";\r\namzn_assoc_rows =\"1\";\r\n<\/script>\r\n<script src=\"\/\/z-na.amazon-adsystem.com\/widgets\/onejs?MarketPlace=US\"><\/script>\n<p>The latest \u201cevil contract\u201d exploit has netted an attacker over $14 million in stolen funds.\u00a0<\/p>\n<p>Furucombo, a tool designed to help users \u201cbatch\u201d transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users. <\/p>\n<p>The attacker\u2019s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour. <\/p>\n<p>This attack is conceptually similar to the $20 million \u201cevil jar\u201d attack that struck Pickle Finance last year, as well as the $37 million \u201cevil spell\u201d exploit that hit Alpha Finance earlier this month. In these \u201cevil contract\u201d exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds. <\/p>\n<p lang=\"en\" dir=\"ltr\">So what happened to Furu\u0441ombo<\/p>\n<p>An attacker using a fake contract made Furu\u0441ombo think that Aave v2 has a new implementation.<br \/>Because of this, all interactions with \u2018Aave v2\u2019 allowed transfers approved tokens to an arbitrary address. pic.twitter.com\/gQVxJqiAmL<\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) February 27, 2021<\/p>\n<p>In this case, the attacker \u2018tricked\u2019 the Furucombo protocol into thinking that their contract was a new verison of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, the attacker instead leveraged the ability to transfer the funds of every user who had given the protocol token permissions.\u00a0<\/p>\n<p>\u201cInfinite permissions means you can wipe everyone who interacted with Furucombo,\u201d said whitehat hacker and co-founder of DeFi Italy Emiliano Bonassi in a statement to Cointelegraph. <\/p>\n<p>This type of exploit appears to be growing increasingly popular, now accounting for over $70 million in user funds lost in just a few months. <\/p>\n<p>The team confirmed the attack in a Tweet, saying that they \u201cbelieved\u201d they\u2019d mitigated the exploit but recommended revoking permissions \u201cout of an abundance of caution:\u201d<\/p>\n<p lang=\"en\" dir=\"ltr\">Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.<\/p>\n<p>\u2014 FURUCOMBO (@furucombo) February 27, 2021<\/p>\n<p>Users can leverage tools like revoke.cash to do so.\u00a0<\/p>\n<p>The attack comes during a period of wider reflection in the DeFi world on security and the utility of auditing companies. In the last three months, three different auditing and code review services have emerged, each with a different incentive model designed to encourage more thorough and dynamic security practices. <\/p>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><script type=\"text\/javascript\">\r\namzn_assoc_placement = \"adunit0\";\r\namzn_assoc_tracking_id = \"totafreearti-20\";\r\namzn_assoc_ad_mode = \"search\";\r\namzn_assoc_ad_type = \"smart\";\r\namzn_assoc_marketplace = \"amazon\";\r\namzn_assoc_region = \"US\";\r\namzn_assoc_default_search_phrase = \"bitcoin\";\r\namzn_assoc_default_category = \"All\";\r\namzn_assoc_search_bar = \"false\";\r\namzn_assoc_title = \"\";\r\namzn_assoc_rows =\"1\";\r\n<\/script>\r\n<script src=\"\/\/z-na.amazon-adsystem.com\/widgets\/onejs?MarketPlace=US\"><\/script><br \/>\n<br \/><a href=\"https:\/\/cointelegraph.com\/news\/transaction-batching-protocol-furucombo-suffers-14-million-evil-contract-hack\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The latest \u201cevil contract\u201d exploit has netted an attacker over $14 million in stolen funds.\u00a0 Furucombo, a tool designed to help users \u201cbatch\u201d transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users. The attacker\u2019s address currently [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wp_rev_ctl_limit":""},"categories":[3],"tags":[],"class_list":["post-23","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum-news"],"_links":{"self":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23"}],"version-history":[{"count":1,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions"}],"predecessor-version":[{"id":25,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions\/25"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=\/wp\/v2\/media\/24"}],"wp:attachment":[{"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoheretostay.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}