In the latest “scary contract”, the attacker spent more than 14 million dollars in stolen money.
Furucombo, a tool designed to help users “merge” transactions and interactions with multiple decentralized finance protocols (DeFi) simultaneously, fell victim to an attack around 1 p.m. 16.45 UTC which focused on symbolic user permissions.
The attacker’s name currently contains $ 14 million in various cryptocurrencies, but the attack appears to be more massive given that ETH has been moved to Tornado Cash in groups in the last hour.
Conceptually, this attack is similar to the $ 20 million evil pitcher attack that hit Pickle Finance last year, as well as the $ 37 million evil spell that hit Alpha Finance earlier this month. In the “creepy contract” exploit, an attacker creates a contract that tricks the protocol into believing it belongs to him, and gives him access to the protocol’s facilities.
In this case, the attacker tricked the Furucombo protocol into believing that his contract is a new version of Aave. From there, instead of emptying money from the protocol as in previous malicious node exploits, the attacker used the opportunity to transfer money to each user who was granted permission to the protocol token.
“Infinite permissions mean you can delete anyone who interacted with Furucombo,” whitehat hacker and DeFi Italy co-founder Emiliano Bonassi said in a statement to Cointelegraph.
This type of utilization seems to be becoming more and more common as it now amounts to over $ 70 million in lost user funds in just a few months.
The team confirmed the attack in a tweet and said they “believe” they have reduced its use, but recommended revoking the permits “with extreme caution”:
To do this, users can use tools like revoke.cash.
The attack came at a time of broader speculation in the DeFi world about the security and usefulness of audit firms. Over the past three months, three different audit and code review services have emerged, each with a different incentive model designed to encourage more comprehensive and dynamic security practices.