Furucombo Postmortem

Furucombo Exploit - March 1, 2021 (REKT)

What Happened

An attacker exploited Furucombo's proxy contract to drain approximately $14 million from user wallets that had granted the protocol unlimited token approvals.

Technical Root Cause

The vulnerability involved a chain of dangerous design patterns:

1. Proxy delegatecall exposure: The Furucombo proxy executed caller-specified delegatecalls to "trusted handlers" without sufficient safeguards

2. Storage modification: These delegatecalls allowed external modification of the proxy's storage

3. Handler vulnerability: Handlers themselves made delegatecalls to addresses read from storage, with functions exposed for modifying that address

4. Implementation slot manipulation: The AAVE v2 handler read implementation addresses from storage via delegatecall, exposing it to manipulation

Attack Vector

The exploit proceeded in two transactions:

Transaction 1 (0x6a14869266a1dcf3f51b102f44b7af7d0a56f1766e5b1908ac80a6a23dbaf449):

• Attacker used a malicious contract to delegatecall through Furucombo proxy to AAVE v2 proxy

• Invoked the initialize function, setting the implementation slot to the attacker's contract address

Transaction 2 (0x5af11a27e98a167b61b01fea093cf612d5ec76c20fd2032f2d1aa49c8b1ee529):

• Attacker specified AAVE v2 Lending Pool proxy as the handler

• Furucombo proxy delegatecalled to AAVE proxy, which read the (now-malicious) implementation from Furucombo's storage

• Attacker's code executed in Furucombo's context, transferring all approved tokens to attacker-controlled addresses

Attacker address: 0xb624E2b10b84a41687caeC94BDd484E48d76B212

Furucombo proxy: 0x17e8Ca1b4798B97602895f63206afCd1Fc90Ca5f

Malicious implementation: 0x86765dde9304bea32f65330d266155c4fa0c4f04

Financial Impact

Total loss: ~$14 million across multiple assets, including:

• 3,900 stETH

• 2.4M USDC

• 649K USDT

• 257K DAI

• 26 aWBTC, 270 aWETH, 296 aETH, 2,300 aAAVE

• 90K CRV, 43K LINK

• 17.2M cUSDC

• 142.2M BAO tokens

• 38.6K PERP, 30.4K COMBO, 75K PAID, 225K UNIDX

Cream Finance's treasury was also directly targeted by the attacker.

Key Lessons & Recommendations

Design issues identified:

• Trust lists provide insufficient guarantees

• Developers must audit how delegatecallee functions affect caller storage

• Functions and parameters of callees should be restricted

• User-supplied inputs pose significant risks

User protections:

• Avoid "infinite approvals" unless absolutely necessary

• Regularly revoke token permissions using tools like Debank or Etherscan's approval checker

• Use hardware wallets

• Employ Web3-dedicated machines for contract interactions

• Maintain multiple addresses to spread risk

• Use fresh addresses for new farming activities

Audit note: Haechi's audit covered only the Furucombo proxy and Compound adapter; the AAVE interaction scenario and exploitation pathway fell outside audit scope.