|-DeFi building block service Furucombo exploited for $14M.|
-The attacker tricked the protocol into thinking that their contract was Aave V2.
-Instead of draining funds, the attacker instead transfers the funds.
Furucombo is a drag and drop tool that is used to create DeFi transactions that have been exploited. In addition, the attacker’s address has $14 million worth of various cryptocurrencies.
However, the exploiter utilized a fake contract to trick the application into thinking it was an Aave v2 update. And used this contract to move all approved tokens from Furucombo into their wallet.
DeFi Transaction Batching Tool Exploited for $14M
Furucombo, a DeFi building block service has been exploited. Moreover, this attack is similar to the $20 million evil jar attack that struck Pickle Finance last year. Earlier this month, a $37 million evil spell exploit hit Alpha Finance.
More so, in these evil contract exploits, an attacker develops a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.
In this case, the attacker tricked the Furucombo protocol into thinking that their contract was a new version of Aave. From there, instead of draining funds, the attacker instead transfers the funds of every user who had given the protocol token permissions. Later, Furucombo tweeted that the vulnerability had been fixed.
Even more, the attack comes at a time of wider reflection in the DeFi world on security and the utility of auditing companies. Moreover, in the last three months, three different auditing and code review services have emerged. Each with a different incentive model designed to energies dynamic security practices.