The Furucombo team said that an attacker compromised the DeFi project’s proxy server, with losses of about $14 million in Ethereum and ERC-20 tokens.
Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.
— FURUCOMBO (@furucombo) February 27, 2021
The Furucombo team provides users with a tool that lets them visually combine transaction chains across various DeFi protocols.
According to The Block researcher Igor Igamberdiev, the hacker used a forged contract that caused Furucombo to conclude that Aave v2 had a new implementation. This enabled interactions with this DeFi protocol to transfer approved tokens to an arbitrary wallet.
So what happened to Furuсombo👇
An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL— Igor Igamberdiev (@FrankResearcher) February 27, 2021
The expert provided a list of stolen assets.
Data: Twitter.
The breach occurred at 16:47 UTC. The project team believes the vulnerability has been fixed, but, for safety, urged users to remove token approvals.
Furucombo pledged to inform the community about further actions.
According to Etherscan, the hacker is actively moving stolen assets, including via the Tornado Cash mixer.
Earlier, Crystal Blockchain noted that over the past five years criminals have become 13 times faster at disposing of stolen cryptocurrencies, and mixers have become the second most popular channel for exits.
Earlier in February, the hacker withdrew tokens worth $37.5 million from the DeFi protocol Iron Bank (Cream Finance v2) tokens worth $37.5 million.
Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news and polls.