Furucombo Hack 2021 — $14M Exploit Analysis

Furucombo was drained via a 'evil contract' trick where the attacker registered a malicious Aave V2 implementation, stealing approved tokens from users.

Details

Full Description

The attacker tricked Furucombo's proxy contract into thinking a malicious contract was a legitimate Aave V2 implementation. The proxy delegatecalled to the evil contract, which then used existing token approvals that users had granted to Furucombo to drain their wallets. All affected users had previously approved Furucombo to spend their tokens.

Laundering Analysis

Stolen tokens immediately swapped to ETH via Uniswap and deposited to Tornado Cash. Furucombo team published a full post-mortem and issued COMBO tokens as partial compensation. The attacker profited approximately $14M net after flash loan costs. No attacker identification made. Funds laundered via Tornado Cash.

Sources

Transaction Hashes

Related Hacks

Back to Browse