The week starts well – Furucombo is a protocol for grouping interactions with DeFi protocols into a single transaction. It was the target of an attack, resulting in the loss of $14 million.
14 million stolen
On Saturday 27 February, the Furucombo protocol informed its users via Twitter that it had been the target of an attack. Directly, Furucombo’s teams took various measures to solve the problem.
Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.
In practice, the attacker managed to siphon $14 million from the wallets of users who had previously interacted with the protocol.
However, it remains difficult for the moment to assess the exact amount of the damage. Indeed, the attacker hastened to launder the funds by mixing them thanks to Tornado Cash.
Attack by « malicious contract »
In practice, this attack was carried out thanks to a « malicious contract », as pointed out by @FrankResearcher, analyst for TheBlock.
So what happened to Furuсombo👇
An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL
To do so, the attacker created and deployed a fake smart contract that made Furucombo believe it was a new implementation of Aave v2.
Unlike most attacks targeting protocol pools, this one directly impacted protocol users.
Indeed, the attacker used this smart contract to transfer all the tokens that had been approved by users to his own address.
Following the attack, Furucombo urged its users to revoke the spending authorizations issued on the protocol. To do this, users can use the Revoke.cash tool.
The « infinite permissions » problem
This attack brings back to the forefront a debate that has already stirred the DeFi sphere on many occasions.
Indeed, when a user interacts with a decentralized application, he must authorize the application to spend his funds. However, many applications offer two types of authorization:
It is this second authorization that is the subject of debate. Indeed, in the case of Furucombo, it is precisely the use of this type of authorization that allowed the attacker to access the users’ funds.
The Furucombo teams are currently working on a method of compensating the injured users. The latter have discussed the idea of a migration plan, the details of which will be unveiled in the coming days.