DeFi: Celebrating π·ΜΆπΎΜΆ 1 dayπΜΆ since the last major hack.
Furucombo was fun. Furucombo was beautiful. Furucombo was rekt.
The bandits made off with over $14MM worth of tokens in possibly the largest attack made via token approvals.
The fallout affected several DeFi projects, including Cream.
Technical Details
At the high level, the exploit tricked the Furucombo smart contract by pretending Aave had upgraded its protocol. Anybody who had pre-approved transfers saw their tokens drained to the malicious address.
As always, @FrankResearcher appeared near the crime scene with a detailed understanding even faster than Rodion Raskolnikov π€
The beneficiary was the devious 0xb624e2b10b84a41687caec94bdd484e48d76b212. This underappreciated breakdown by @Kurt_M_Barry describes it comprehensively.
Furucomboβs contract made calls to a trusted address. That address was writable, so the hackers replaced it with their own address. At least $13.5M worth of funds had given Furucomboβs contract approval.
For every hack, thereβs always a prior audit. This one only found minor exploits!
Unfortunately, the only thing most auditors are able to protect is their own livelihoods. If auditors were good at discovering flaws, theyβd be perpetrating eight figure hacks instead of drawing six figure salaries.
The moral of the story for developers:
Aftermath
Furucombo founder Hsuan-Ting Chu and his team worked swiftly to counteract the hack and communicate with the public.
Furucombo users were largely sympathetic.
Victims offered thoughts on how DeFi users can protect themselves.
DeFi is great, but remember that the high APYs are not risk free. Stay SAFU out there friends!
For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice.