Furucombo

Furucombo "Evil Contract" Hack - February 27, 2021

Note: The chunk records this entry with a Feb 2020 date, but the underlying incident referenced by the original article (TheBlock id 96572) is the Furucombo "evil contract" exploit of Feb 27, 2021.

Overview

On February 27, 2021, the DeFi aggregator Furucombo suffered a significant security breach resulting in a loss of approximately $14 million. The attack centered on token approvals from users.

What is Furucombo?

Furucombo is a tool designed to help users "batch" transactions and interactions with multiple DeFi protocols at once via a proxy contract. Users grant ERC-20 token approvals to the Furucombo proxy so that combos can move tokens on the user's behalf.

The Attack Mechanism

The Furucombo hack was a sophisticated exploitation of smart-contract vulnerabilities, specifically targeting the proxy contract mechanism. In an "evil contract" attack, an attacker generates a malicious smart contract that appears legitimate to the targeted protocol, giving the attacker access to protocol funds.

In this case, the attacker deceived Furucombo's proxy into believing the attacker's contract was an updated version of the Aave v2 protocol (by overwriting the implementation slot of the AAVE v2 proxy address that Furucombo trusted).

How Users Lost Funds

After successfully tricking Furucombo into believing a malicious contract was the new version of Aave, the evil contract took advantage of poorly configured permissions in Furucombo user accounts.

Users had granted ERC-20 token allowances to the Furucombo proxy, allowing it to perform transactions using those tokens without further approvals. When subsequent calls flowed through Furucombo into the (now-malicious) "Aave v2" handler, the evil contract siphoned out any tokens that the user had already approved.

Attack Vector / Steps

1. Attacker called the AAVE v2 proxy via Furucombo, invoking initialize to overwrite the implementation slot with the attacker's malicious contract

2. Attacker then routed transactions through Furucombo specifying AAVE v2 as the handler

3. Furucombo proxy delegatecalled to AAVE proxy, which read the attacker-controlled implementation

4. Attacker code executed in Furucombo's context, transferring all user-approved tokens to attacker addresses

Financial Impact

• Total loss: ~$14 million across multiple assets

• Funds laundered through Tornado Cash in bundles over time

Sources

• Transaction batching protocol Furucombo suffers $14 million "evil contract" hack - Cointelegraph

• Explained: The Furucombo Evil Contract Hack (Feb 2021) - Halborn

• The Furucombo Hack: A $14 Million Lesson in Smart Contract Vulnerabilities - Vidma

• Furucombo Loses $14 Million in DeFi Hack - BitcoinWorld