Let's Talk

Explained: The Furucombo Evil Contract Hack (Feb 2021)

Rob Behnke

Furucombo is a transaction batching protocol used in Decentralized Finance (DeFi).  It is designed to allow users to create a series of transactions that start and end with a flash loan.  For example, if a user discovered that some slippage existed between the price of two tokens on a platform, they might be able to exploit this slippage and turn a profit.  Furucombo makes this easier by providing a drag-and-drop interface for manually building strings of transactions.

On February 27, 2021, Furucombo was the victim of an “evil contract” attack.  This attack enabled the attacker to steal over $14 million in user funds from the protocol.

An Evil Contract Masquerading as a New Version of Aave

The attack against Furobcomo was carried out using an “evil contract”, similar to the recent Pickle and Alpha Homora hacks.  In this case, the evil contract masqueraded as a new implementation of Aave v2.  Aave is one of the DeFi protocols that Furucombo users can use when building their transaction combinations.

After successfully tricking Furucombo into believing it was a new version of Aave, the evil contract was able to take advantage of poorly configured permissions in Furucombo user accounts.  These users gave ERC20 token permissions to the Furucombo protocol, allowing it to perform transactions using those tokens without further approvals.  When the user interacted with the evil contract (masquerading as Aave v2), the evil contract could siphon out any tokens that the user had already approved.  For example, if a user had previously approved a DAI->AAVE swap, the contract could steal DAI from the user’s account.

This means that the Furucombo hack had a more personal impact to the protocol’s users.  Unlike many DeFi hacks, where the protocol itself suffers the losses, this vulnerability enabled direct exploitation of user accounts to the tune of at least $14 million in cryptocurrency.  The exact value is currently unknown as the attacker has been sending it to Tornado.cash in bundles over time.

Since the hack has been discovered, the Furucombo team has corrected the vulnerability that made the exploit possible.  However, they also advise that users change their account permissions to revoke the token approvals that make this attack possible.

Lessons Learned from the Furucombo Hack

This hack is the latest in a series of attacks against DeFi protocols leveraging “evil contracts”.  While the protocol previously underwent a smart contract audit, this underscores the potential for overlooked vulnerabilities in a security audit.

This security incident provides several important takeaways:

Contract Whitelisting

This hack was based on the ability to trick Furucombo into accepting the evil contract as an updated version of the Aave protocol.  This underscores the importance of performing whitelisting or verification of crucial smart contracts that a smart contract relies upon and interacts with.

Permissions Management

Users of Furucombo lost funds because they had lists of approved tokens that Aave was approved to transfer.  This underscores the importance of carefully managing permissions when interacting with DeFi protocols.

As DeFi grows more influential and holds more value, security becomes more important as well.  Performing comprehensive security audits is essential for identifying and remediating the types of contracts that make these attacks possible.


Get in touch with Halborn today at [email protected] to discuss how we can help protect your blockchain company from hacks.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram