The decentralized finance (DeFi) market remains flawed as attacks on various protocols continue to drain user funds. The latest attack of this sort, using the “evil contract” exploit has netted $14 million, and was executed with the help of user permissions granted to the protocol.
According to reports, Furucombo, a tool designed to help users “batch” transactions and interactions with multiple DeFi protocols simultaneously, was attacked at 4:45 pm UTC on February 28.
At the time of writing, the attacker’s wallet has $14 million worth of various cryptocurrencies, but the attack is estimated to be larger as the attackers have been transferring ETH to privacy mixer Tornado Cash in batches throughout the day.
The exploit used is quite similar to the one leveraged during the “evil jar” attack that struck Pickle Finance last year, which saw bad actors get away with $20 million. These attacks use a malicious smart contract that tricks the protocol into believing it belongs there, comprising the system by giving attackers access to protocol funds.
Similarly, in this case, the attacker tricked’ the Furucombo protocol into thinking that their contract was a new version of Aave. As one twitter user notes:
Once the fake contract was in place, the attacker went on to leverage the ability to transfer the funds of every user who had given the protocol token permissions, instead of just draining funds from the protocol as seen during previous evil contract attacks.
“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy Emiliano Bonassi.
The team was quick to confirm the attack with a Tweet, adding that they want users to revoke permissions “out of an abundance of caution:”
“Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.”
“Please remove your token approvals on https://approved.zone towards our contract at the earliest,” the team wrote.
DeFi in Danger?
The frequency of these attacks has grown quite a bit over the past year. Last week, attackers leveraged Cream’s Iron Bank protocol-to-protocol lending platform to fake a smart contract and steal $37 million worth of funds from Alpha Homora. The “fake spell/contract” exploit was also similar to last year’s “evil jar” attack on Pickle Finance