Cyber Incident Victim: Furucombo
Date:
Feb 2021
Location:
Singapore
Summary
The transaction batching protocol Furucombo was compromised via an 'evil contract' exploit, where an attacker deployed a fraudulent contract impersonating Aave v2 to deceive the system into granting unauthorized access. This allowed the theft of over $14 million in cryptocurrencies, with funds subsequently transferred to a privacy mixer. The attack method resembled previous DeFi exploits targeting token approvals, and the team disabled vulnerable components while urging users to revoke permissions as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 27, 2021, at approximately 4:45 pm UTC, the decentralized finance (DeFi) transaction batching protocol Furucombo suffered a security breach resulting in the theft of over $14 million in cryptocurrencies. The attacker exploited the protocol by deploying a malicious contract designed to impersonate Aave v2, tricking Furucombo’s system into recognizing it as a legitimate implementation update. This deception granted the attacker unauthorized access to user-approved token transfers, enabling them to divert funds to an external address. The attacker’s address accumulated $14 million in various cryptocurrencies post-exploit, with additional evidence showing batches of Ethereum being funneled into Tornado Cash, a privacy-focused transaction mixer, suggesting ongoing laundering efforts. This method mirrored previous "evil contract" attacks in the DeFi ecosystem, including the $20 million Pickle Finance "evil jar" incident in late 2020 and the $37 million Alpha Finance "evil spell" exploit earlier in February 2021, all involving fraudulent contracts masquerading as authorized protocol components.
The Furucombo team confirmed the breach via Twitter within hours, stating they had deauthorized the compromised components and believed the vulnerability was patched. They advised users to revoke token approvals to the protocol as a precautionary measure, directing them to tools like revoke.cash. Blockchain researcher Igor Igamberdiev publicly analyzed the attack vector, clarifying that the fake contract manipulated Furucombo’s logic to permit arbitrary token transfers. The incident occurred amid broader DeFi industry scrutiny over security practices, with three new auditing and code review services emerging in the preceding three months to address systemic vulnerabilities. The direct financial impact was quantified at $14 million in stolen assets, though the attacker’s rapid use of Tornado Cash indicated potential challenges in fund recovery. No user reimbursement plans or post-incident forensic details were disclosed in the immediate aftermath.