Some crypto wallets have a term for building a cryptocurrency portfolio from multiple smaller digital wallets—a “furucombo.” The folks over at Furucombo have made it easy to do using a single, mobile app.
A hack on Furucombo, a service for compiling blockchain assets and giving them a name, has earned the hacker $14M.
The first ever service that leveraged the decentralized nature of the Ethereum blockchain to take advantage of smart contract vulnerabilities in order to steal funds from another service was announced earlier this year, and now another scam using this exploit has been exposed. Since the initial announcement of this exploit, numerous services have been created that exploit it for their own gain, and the latest service to use it to steal funds was able to do so with a staggering sum of $14m.
Posted 6 months ago | 2 minutes to read
|Furucombo, a DeFi building block service, was abused for $14 million. -The attacker convinced the protocol that their contract was Aave V2. – Instead of depleting the money, the attacker transfers them.|
Furucombo is a drag-and-drop tool that may be used to generate abused DeFi transactions. Furthermore, the attacker’s address has $14 million in different cryptocurrencies.
The exploiter, on the other hand, used a phony contract to fool the app into believing it was an Aave v2 upgrade. And they utilized this contract to transfer all of Furucombo’s authorized tokens into their wallet.
For $14 million, the DeFi Transaction Batching Tool was exploited.
It was discovered that Furucombo, a DeFi building block service, had been abused. Furthermore, this assault is comparable to Pickle Finance’s $20 million evil jar attack from last year. Alpha Finance was attacked by a $37 million evil spell exploit earlier this month.
More specifically, in these malicious contract attacks, an attacker creates a contract that convinces a protocol that it belongs there, allowing them to access protocol money.
So, what went wrong with Furucombo?
Furucombo was led to believe that Aave v2 had a new implementation by an attacker who used a false contract. As a result, all interactions with ‘Aave v2′ permitted the transfer of authorized tokens to any address. pic.twitter.com/gQVxJqiAmL
February 27, 2021 — Igor Igamberdiev (@FrankResearcher)
The attacker fooled the Furucombo protocol into believing their contract was a new version of Aave in this instance. Instead of depleting money, the attacker transfers the funds of all users who have granted the protocol token access. Furucombo later tweeted that the flaw had been patched.
An attacker gained access to the Furucombo proxy today at 4:47 PM UTC. We’ve deauthorized the necessary components and think the vulnerability has been fixed, but out of an excess of caution, we suggest users remove approvals.
February 27, 2021 — FURUCOMBO (@furucombo)
Furthermore, the assault occurs at a time when the DeFi community is reflecting on security and the value of auditing firms. In addition, three new auditing and code review firms have arisen in the past three months. Each has its own incentive scheme for energizing dynamic security procedures.
You’ve been recommended
As described in our introduction, we recently published an article based on research of the Furucombo hacking event which was one of the largest known digital currency hacks in history, yet most people are unaware of the details. To better understand the incident, we recently released the full report, which includes technical details of the hack, the Furucombo service, and our analysis of the underlying processes.. Read more about furucombo api and let us know what you think.
This article broadly covered the following related topics:
- furuc mb
- what is furucombo
- furucombo ico
- furucombo matic
- bitcoin futures liquidated