{"id":37145,"date":"2021-02-28T10:28:50","date_gmt":"2021-02-28T08:28:50","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=37145"},"modified":"2025-08-29T10:00:43","modified_gmt":"2025-08-29T07:00:43","slug":"defi-project-furucombo-hacked-for-14-million","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/defi-project-furucombo-hacked-for-14-million\/","title":{"rendered":"DeFi project Furucombo hacked for $14 million"},"content":{"rendered":"<p>The Furucombo team said that an attacker compromised the DeFi project&#8217;s proxy server, with losses of about $14 million in Ethereum and ERC-20 tokens.<!--more--><\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-lang=\\\"en\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.<\/p>\n<p>\u2014 FURUCOMBO (@furucombo) <a href=\\\"https:\/\/twitter.com\/furucombo\/status\/1365743632460910593?ref_src=twsrc%5Etfw\\\">February 27, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>The Furucombo team provides users with a tool that lets them visually combine transaction chains across various DeFi protocols.<\/p>\n<p>According to The Block researcher Igor Igamberdiev, the hacker used a forged contract that caused Furucombo to conclude that Aave v2 had a new implementation. This enabled interactions with this DeFi protocol to transfer approved tokens to an arbitrary wallet.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-lang=\\\"en\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">So what happened to Furu\u0441ombo\ud83d\udc47<\/p>\n<p>An attacker using a fake contract made Furu\u0441ombo think that Aave v2 has a new implementation.<br \/>\nBecause of this, all interactions with \u2018Aave v2\u2019 allowed transfers approved tokens to an arbitrary address. <a href=\\\"https:\/\/t.co\/gQVxJqiAmL\\\">pic.twitter.com\/gQVxJqiAmL<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\\\"https:\/\/twitter.com\/FrankResearcher\/status\/1365740713334493192?ref_src=twsrc%5Etfw\\\">February 27, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>The expert provided a list of stolen assets.<\/p>\n<div id=\\\"attachment_126224\\\" style=\\\"width: 131px\\\" class=\\\"wp-caption alignnone\\\"><img loading=\\\"lazy\\\" decoding=\\\"async\\\" aria-describedby=\\\"caption-attachment-126224\\\" class=\\\"wp-image-126224 size-medium\\\" src=\\\"https:\/\/u1f987.com\/wp-content\/uploads\/unnamed-file-1-121x300.jpg\\\" alt=\\\"DeFi-project Furucombo hacked for $14 million\\\" width=\\\"121\\\" height=\\\"300\\\" srcset=\\\"https:\/\/u1f987.com\/wp-content\/uploads\/unnamed-file-1-121x300.jpg 121w, https:\/\/u1f987.com\/wp-content\/uploads\/unnamed-file-1.jpg 306w\\\" sizes=\\\"auto, (max-width: 121px) 100vw, 121px\\\" \/><\/p>\n<p id=\\\"caption-attachment-126224\\\" class=\\\"wp-caption-text\\\">Data: Twitter.<\/p>\n<\/div>\n<p>The breach occurred at 16:47 UTC. The project team believes the vulnerability has been fixed, but, for safety, urged users to remove token approvals.<\/p>\n<p>Furucombo pledged to inform the community about further actions.<\/p>\n<p>According to <a href=\\\"https:\/\/etherscan.io\/address\/0xb624e2b10b84a41687caec94bdd484e48d76b212\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Etherscan<\/a>, the hacker is actively moving stolen assets, including via the Tornado Cash mixer.<\/p>\n<p>Earlier, Crystal Blockchain <a href=\"https:\/\/u1f987.com\/en\/news\/report-attackers-are-13-times-faster-at-disposing-of-stolen-cryptocurrencies\">noted<\/a> that over the past five years criminals have become 13 times faster at disposing of stolen cryptocurrencies, and mixers have become the second most popular channel for exits.<\/p>\n<p>Earlier in February, the hacker withdrew tokens worth $37.5 million from the DeFi protocol Iron Bank (Cream Finance v2) <a href=\"https:\/\/u1f987.com\/en\/news\/hacker-drains-37-5-million-from-cream-finance-defi-protocol\">tokens worth $37.5 million<\/a>.<\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\\\"https:\/\/t.me\/forklogfeed\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener noreferrer\\\">ForkLog Feed<\/a> \u2014 the full news feed, <a href=\\\"https:\/\/telegram.me\/forklog\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener noreferrer\\\">ForkLog<\/a> \u2014 the most important news and polls.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Furucombo team said that an attacker compromised the DeFi project&#8217;s proxy server, with losses of about $14 million in Ethereum and ERC-20 tokens.<\/p>\n","protected":false},"author":1,"featured_media":37146,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1093],"class_list":["post-37145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"16","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/37145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=37145"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/37145\/revisions"}],"predecessor-version":[{"id":37147,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/37145\/revisions\/37147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/37146"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=37145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=37145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=37145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}