Projekt DeFi Furucombo zhakowany. Skradziono 14 mln$

Today at 4:47 PM UTC the Furucombo proxy was compromised by an attacker. We have deauthorized the relevant components and believe the vulnerability to be patched but we recommend users remove approvals out of an abundance of caution.

— FURUCOMBO (@furucombo) February 27, 2021

chodziło o kontrakt proxy 🧐

— 📈 Tomasz Kowalczyk (@tomkowalczyk) February 28, 2021

What was stolen ($14M+):

– 3,9k stETH
– 2.4M USDC
– 649k USDT
– 257k DAI
– 26 aWBTC
– 270 aWETH
– 296 aETH
– 2.3k aAAVE
– 4 WBTC
– 90k CRV
– 43k LINK
– 7.3k cETH
– 17.2M cUSDC
– 69 cWBTC
– 142.2M BAO
– 38.6k PERP
– 30.4k COMBO
– 75k PAID
– 225k UNIDX
– 342 GRO
– 19k NDX

— Igor Igamberdiev (@FrankResearcher) February 27, 2021

So what happened to Furuсombo👇

An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL

— Igor Igamberdiev (@FrankResearcher) February 27, 2021