InsideBitcoins.com

Hackers Steal $14 Million From Transaction Batching Protocol Furucombo

Korean Exchange Upbit Suffers Hack and Theft of 342,000 ETH ($50 Million) - Copy

Transaction batching protocol Furucombo has just lost $14 million in another “evil contract attack,” according to a recent report.

The tool enables users to “batch transactions using different decentralized Finance (DeFi) protocols at the same time.

About $14 million worth of different cryptocurrencies was transferred to the crypto address of the attacker from the platform. However, the amount seems to be higher than this since the attackers have been shifting Ethereaum (ETH) in batches to Tornado Cash over the past three hours.

Evil contract attack steadily on the rise

This type of attack on protocols seems to be growing in popularity and impact. Within a few months, users have lost over $70 million through this type of exploit on various protocols.

In an “evil contract exploit,” the threat actor opens a contract that deceives the protocol into recognizing it as belonging there, which opens up access to funds from the protocol.

The Furucombo hacking incident is similar to the last year’s “evil spell” attack on Struck Pickle Finance, which cost the platform about $20 million.

It’s also similar in concept to the $37 million “evil spell” attack on Alpha Francis earlier this month.

Number of DDoS Attacks on Crypto Sites Increasing at an Alarming Pace

For the Furucombo attack, the threat actor made the protocol assume that their contract was the latest version of Aave. However, the attackers didn’t drain funds directly from the protocol, just like it happens with every evil contract exploit.

Instead, the attacker took advantage of the permissions given by users of the protocol to transfer funds. As protocols of this nature work, users may give token permissions on the protocol. So, the threat actors leveraged this opportunity to send funds from the accounts directly to their addresses.

Emiliano Bonassi, white-hat hacker and co-founder of DeFi Italy explained how the protocol works.  “Infinite permissions means you can wipe everyone who interacted with Furucombo,” he said.

Many users have revoked their permissions

The Furucombo protocol team has released a statement regarding the attack. The team stated that the exploit has been mitigated, but it’s important not to throw caution to the wind. They have recommended the revoke of permissions for precautionary reasons. The team has also asked users to use the features at revoke cash to revoke permissions.

From the address of the attackers, it appears that most of the funds are no longer in the hackers’ address. As of the time of writing, the address still has over $1 million worth of crypto assets.

Top brokers for buying and trading cryptocurrencies

  • Platform
  • Features
  • Rating
  • Visit Site
  • US-Friendly
  • Paypal accepted
  • 12+ cryptocurrencies
4.5/5

Visit Site
75% of retail investors lose money.
eToro Reviews

    eToro Reviews

    https://insidebitcoins.com/visit/etoro-newsCreate your account
    Hide eToro Reviews
    • Best broker for non-US countries
    • Trade crypto CFDs, forex and stocks
    • No withdrawal or deposit fees
    4.5/5

    Visit Site
    80.5% of retail investors lose money.
    Plus500 Reviews

      Plus500 Reviews

      https://insidebitcoins.com/visit/plus500-newsCreate your account
      Hide Plus500 Reviews
      Remember, all trading carries risk. Past performance is no guarantee of future results.
      Avatar

      A journalist, with experience in web journalism and marketing. Ali holds a master's degree in finance and enjoys writing about cryptocurrencies and fintech. Ali’s work has been published on a number of cryptocurrency publications.