The Furucombo Incident Analysis: Cascading Trust

Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. In this blog post, we elaborate the technical details of the issue.



The Cascading Trust Vulnerability

  1. It prepares an evil contract that will run in the context of the vulnerable Furucombo proxy;
  2. It calls the Furucombo proxy with the whitelisted AaveLendingPoolv2; However, the call comes with crafted arguments that cascadingly delegatecalls the AaveLendingPoolv2::initialize() function, which further delegatecalls the evil contract (prepared in the previous step);
  3. With the delegatecalls, the evil contract now runs in the context the Furucombo proxy to transfer users’ funds. Note the Furucombo proxy may have been approved from the users, possibly with unlimited allowance.
Cascading Trust in Furucombo

We should mention that the Furucombo protocol has the built-in whitelist mechanism that has been immediately activated to temporarily remove the affected entity from its registry.

The Funds

About Us

A Blockchain Security Company (