An attacker compromised the Furucombo proxy. The team has deauthorized the relevant components and believes the vulnerability to be patched, but they recommend users remove approvals out of an abundance of caution.“ Tweeted Furucombo, a decentralized finance application, on the 27th Feb 2020.
Furucombo lost $14 million after an exploiter used a fake contract to trick the application into thinking it was an Aave v2 update. Furucombo later tweeted that the vulnerability had been sorted out.
Furucombo is a tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once.
They recently tweeted as well: „We’re in the process of investigating the stolen fund and organizing the follow-up actions.”
Igor Igamberdiev, The Block Research’s, tweeted on Saturday that the exploiter used the above-mentioned contract to transfer approved tokens to its address.
The attacker’s address currently has $14 million worth of various cryptocurrencies. But actually, the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.
This type of exploit appears to be more and more popular, up to now accounting for over $70 million in user funds lost in just a few months.
Every week, we experience the Defi platform exploit, which shows how immature this space is and needs more development.