Hackers Hit Furucombo’s Proxy Smart Contract, Stole $14M in ETH and ERC-20

Featured in News

Hackers Hit Furucombo’s Proxy Smart Contract, Stole $14M in ETH and ERC-20

Mar 2 2021

Image: Sergey Nivens / Adobe Stock

In brief

  • Hackers recently attacked a DeFi dApp known as Furucombo.
  • The attack resulted in $14 stolen in the form of ETH and various ERC-20 tokens.
  • The incident is only one of nearly 20 major attacks that took place over the last 12 months.

According to recent information, a dApp named Furucombo, which focuses on the easy creation of multi-step transactions for DeFi and trading without the need to know to code, recently got compromised.

Hacking attacks continue to plague the crypto industry, with a new focus on the DeFi sector. With DeFi skyrocketing over the past 12 months, the increased interest by online criminals is nothing surprising. However, the amounts that some attacks have managed to get away with is no less alarming.

What Happened?

The dApp was hit by a hacker or hackers who managed to steal more than $14 million in funds belonging to Furucombo’s users.

According to what is known, the attacker found a way to compromise the dApp’s proxy smart contract, which allowed them to withdraw ERC-20 tokens, as well as Ether coins. The funds were quickly sent to a crypto mixer Tornado Cash, to cover up the trail.

Crypto mixing services were created to increase user anonymity, by splitting a single large transaction into multiple smaller ones, and exchange coins for others of the same protocol. That way, tracing the amount and the individual who made the transaction should be virtually impossible.

The hacker’s own address currently holds over $6.8 million, or 4,560 ETH. As for ERC-20 tokens, there is a variety of them contained within the address, totaling in another $7 million. Researchers have found that there is over 5.5 million DAI tokens. Interestingly, these holdings do not include the funds that were sent through Tornado Cash.

It was suggested that all Furucombo users who interacted with the Furucombo Proxy should react by revoking their approvals to withdraw funds from their wallets via Revoke.

DeFi Attracts Money, while Money Attracts Hackers

As mentioned, the DeFi sector’s growth has resulted in multiple attacks over the past year. The DeFi is brimming with money, with indications that more of it is coming its way. Recently, DeFi reached $45 billion in total value locked (TVL). While this amount has dropped since, mirroring the drop in the cryptocurrency prices, the fact is that DeFi is still only getting started, and that it is likely to become one of the most profitable branches of the crypto industry.

As such, hacking attacks are something that should be expected and prepared for. This is why users should be very careful which projects they invest in, as it is imperative to use proper security features and not risk funds unnecessarily.

While many understand this, hacking incidents like this one are not new to DeFi. There were around 20 major attacks on the DeFi sector over the past year alone, which is quite noteworthy, given that DeFi surge started in early summer last year. Around June, DeFi only had $1 billion in TVL, so hackers reacted rather quickly after this amount had started to increase.