Transaction Batching Protocol Furucombo suffers a $ 14 million “nasty contract” hack


Related articles

The latest bad contract exploit resulted in over $ 14 million in stolen funds from an attacker.

Furucombo, a tool that allows users to stack transactions and interactions with multiple protocols at the same time, fell victim to the attack aimed at user token approvals.

The attacker’s address currently contains various cryptocurrencies worth $ 14 million. The attack seems to be bigger, however, as the ETH was transferred in batches to the data protection mixer Tornado Cash in the last hour.

This attack is conceptually similar to the $ 20 million Evil Jar attack that hit Pickle Finance last year and the $ 37 million Evil Spell exploit that hit Alpha Finance earlier this month. In these “bad contract” exploits, an attacker creates a contract that leads a log to believe it belongs there and gives it access to log resources.

In this case, the attacker tricked the Furucombo protocol into believing his contract was a new version of Aave. From there, the attacker took the opportunity to transfer the funds of any user who had granted the permissions for the log token, rather than pulling money from the log as in previous exploits with malicious contracts.

“Infinite permissions mean you can delete anyone who interacts with Furucombo,” DeFi Italy hacker and co-founder Emiliano Bonassi told Cointelegraph in a statement.

This type of exploit seems to be growing in popularity and now accounts for over $ 70 million in user funds that were lost in a matter of months.

The team confirmed the attack in a tweet, saying it “believed” they had mitigated the exploit, but recommended revoking the permissions “out of caution”:

Users can use tools like to do this.

The attack comes at a time when the DeFi world is more reflective of the security and benefits of accounting firms. In the past three months, three different auditing and code review services, each with different incentive models, have been developed to encourage more thorough and dynamic security practices.