DeFi Project Furucombo Lost $15M in an Exploit; All 22 Affected Users will be Compensated
After crashing over 63% from ATH of $6.97, COMBO price has recovered 41.5% to $4.08 today. The protocol now plans to complete several major external audits of the entire platform this year.
DeFi project, Furucombo was compromised for 21 different assets worth $15 million over the weekend. The protocol intends to compensate all 22 affected users and is now working on a mitigation plan that’s to be shared with the community soon.
During the late hours of Saturday, the team shared on Twitter that they have found the root cause of the attack, and the vulnerability is patched. The contract is now safe to use.
As per the post mortem shared by the team Monday, the attack that occurred at 04:47:53 PM UTC on Saturday 27 February 2021 was identified quickly, and all affected contracts were disabled.
Furucombo is working closely with a dedicated security team to monitor the situation and to prevent further user funds from being compromised.
The exploit meanwhile resulted in the price of COMBO crashing over 63% to $2.54 from an all-time high of $6.97 just four days back. Since falling to this level today, the price has recovered 41.5% to $4.08.
Furucombo is basically a ‘drag and drop’ tool designed to help with the batching of transactions and interactions with other decentralized finance (DeFi) protocols.
Sharing what exactly went down, the team said the Aave contracts were both valid callers and valid callees. The unknown attacker delegatecalled into the Aave V2 lending pool proxy and asked it to initialize its implementation to the attack contract. Because its contents were 0, the initialization succeeded.
This allowed the attacker to use the Aave V2 lending pool proxy to delegatecall into the attacker’s implementation contract, which proceeded to drain funds from users who had approved Furucombo’s proxy, the team noted.
Upon discovering the compromise, the key element of the attack on the Aave V2 lending pool was removed, and the attacker's transaction was reverted.
In response to the attack, Furucombo is now planning to complete several major external audits of the entire platform this year.