The latest bad contract exploit resulted in over $ 14 million in stolen funds from an attacker.
Furucombo, a tool that allows users to stack transactions and interactions with multiple protocols at the same time, fell victim to the attack aimed at user token approvals.
The attacker’s address currently contains various cryptocurrencies worth $ 14 million. The attack seems to be bigger, however, as the ETH was transferred in batches to the data protection mixer Tornado Cash in the last hour.
This attack is conceptually similar to the $ 20 million Evil Jar attack that hit Pickle Finance last year and the $ 37 million Evil Spell exploit that hit Alpha Finance earlier this month. In these “bad contract” exploits, an attacker creates a contract that leads a log to believe it belongs there and gives it access to log resources.
So what happened to Furuсombo?
An attacker using a fake contract made Furuсombo believe that Aave v2 has a new implementation.
Because of this, all interactions with “Aave v2” allowed the transfer of approved tokens to any address. pic.twitter.com/gQVxJqiAmL
– Igor Igamberdiev (@FrankResearcher) February 27, 2021
In this case, the attacker tricked the Furucombo protocol into believing his contract was a new version of Aave. From there, the attacker took the opportunity to transfer the funds of any user who had granted the permissions for the log token, rather than pulling money from the log as in previous exploits with malicious contracts.
“Infinite permissions mean you can delete anyone who interacts with Furucombo,” DeFi Italy hacker and co-founder Emiliano Bonassi told Cointelegraph in a statement.
This type of exploit seems to be growing in popularity and now accounts for over $ 70 million in user funds that were lost in a matter of months.
The team confirmed the attack in a tweet, saying it “believed” they had mitigated the exploit, but recommended revoking the permissions “out of caution”:
At 16:47 UTC today, the Furucombo proxy was compromised by an attacker. We have disabled the relevant components and believe that the vulnerability needs to be addressed. However, we recommend that users remove permissions out of caution.
– FURUCOMBO (@furucombo) February 27, 2021
Users can use tools like revoke.cash to do this.
The attack comes at a time when the DeFi world is more reflective of the security and benefits of accounting firms. In the past three months, three different auditing and code review services, each with different incentive models, have been developed to encourage more thorough and dynamic security practices.