Transaction batching protocol Furucombo suffers $14 million “evil contract” hack


The latest bad contract exploit resulted in over $ 14 million in stolen funds from an attacker.

Furucombo, a tool that allows users to stack transactions and interactions with multiple DeFi (Decentralized Finance) protocols at the same time, fell victim to the attack involving token approvals from users at around 4:45 p.m. UTC.

The attacker’s address currently contains various cryptocurrencies worth $ 14 million. The attack seems to be bigger, however, as the ETH has been transferred in batches to the data protection mixer Tornado Cash in the last hour.

This attack is conceptually similar to the $ 20 million Evil Jar attack that hit Pickle Finance last year and the $ 37 million Evil Spell exploit that hit Alpha Finance earlier this month. In these “bad contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there and gives it access to protocol resources.

So what happened to Furuсombo?

An attacker using a fake contract made Furuсombo believe that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed the transfer of approved tokens to any address.

– Igor Igamberdiev (@FrankResearcher) February 27, 2021

In this case, the attacker tricked the Furucombo protocol into believing his contract was a new version of Aave. From there, the attacker took the opportunity to transfer the funds of all users who had granted the protocol token permissions instead of pulling money from the log as in previous malicious contract exploits.

“Infinite permissions mean you can delete anyone who has interacted with Furucombo,” DeFi Italy hacker and co-founder Emiliano Bonassi told Cointelegraph in a statement.

This type of exploit seems to be growing in popularity, generating over $ 70 million in user funds in just a few months.

The team confirmed the attack in a tweet, saying they “believed” they had mitigated the exploit but recommended revoking permissions “out of caution”:

At 16:47 UTC today, the Furucombo proxy was compromised by an attacker. We have disabled the relevant components and believe that the vulnerability needs to be addressed. However, we recommend that users remove permissions out of caution.

– FURUCOMBO (@furucombo) February 27, 2021

Users can use tools like to do this.

The attack comes at a time when the DeFi world is more reflective of the security and benefits of accounting firms. In the past three months, three different auditing and code review services, each with different incentive models, have been developed to encourage more thorough and dynamic security practices.