Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. In this blog post, we elaborate the technical details of the issue.
This incident was due to a flawed logic in trusting a remote entity that has been previously whitelisted. However, the remote entity supports a logic that makes use of the
delegatecall feature to invoke user-provided (untrusted) code. As a result, this flawed logic is exploited to spend the approved allowance from the Furucombo protocol users. The consequence of this attack directly result in more than $14M loss from the affected users, including CREAM.
The Cascading Trust Vulnerability
In the following, we analyze this specific attack as demonstrated in the transaction of 0x6a14…f449. This attack can be divided into following distinct steps:
- It prepares an evil contract that will run in the context of the vulnerable Furucombo proxy;
- It calls the Furucombo proxy with the whitelisted
AaveLendingPoolv2; However, the call comes with crafted arguments that cascadingly delegatecalls the
AaveLendingPoolv2::initialize()function, which further delegatecalls the evil contract (prepared in the previous step);
- With the delegatecalls, the evil contract now runs in the context the Furucombo proxy to transfer users’ funds. Note the Furucombo proxy may have been approved from the users, possibly with unlimited allowance.
We should mention that the Furucombo protocol has the built-in whitelist mechanism that has been immediately activated to temporarily remove the affected entity from its registry.
This attack leads to more than $14M loss from the users. And most of the attacker’s funds from the above exploitations are currently held in this wallet: 0xb624. We are actively monitoring this wallet for any movement.
PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.