DeFi Tx Bundler Furucombo Hacked for $14 Million


Furucombo, a dApp focused on easily creating multi-step transactions for trading and DeFi without knowing how to code, just got compromised. At press time, a hacker managed to drain over $14 million of users’ funds.

Furucombo, a dApp focused on easily creating multi-step transactions for trading and DeFi without knowing how to code, just got compromised. At the moment of writing, a hacker managed to drain over $14 million of users’ funds.

The hacker compromised Furucombo’s proxy smart contract, which enabled them to withdraw ETH and ERC20 tokens. 

The hacker's transaction draining ERC-20 tokens from Furucombo's smart contract
The hacker’s transaction draining ERC20 tokens. Source: Etherscan.

The hacker then started sending funds to the mixer Tornado Cash to cover their tracks and withdraw funds.

Ethereum transactions on Tornado Cash
The hacker’s transaction to Tornado Cash. Source: Etherscan.

Currently, the hacker’s address holds over 4,560 ETH, worth roughly $6.8 million, and more than $7 million in ERC20 tokens, including more than 5.5 million DAI. These holdings do not include funds that were sent to Tornado Cash for laundering.

The hacker's Ethereum address on Etherscan
The hacker’s Ethereum address. Source: Etherscan.

Anyone who interacted with Furucombo proxy should revoke their approvals to withdraw funds from their wallet using Revoke. The addresses of Furucombo contracts to check:

  • 0x57805e5a227937BAc2B0FdaCaA30413ddac6B8E1
  • 0x17e8ca1b4798b97602895f63206afcd1fc90ca5f

Over the last year, there were numerous hacks and exploits of DeFi protocols. The space is nascent, but the Total Value Locked in DeFi smart-contracts continues to grow, exceeding $37 billion at the time of press. Furucombo’s hack is another reminder for DeFi users to seriously consider contract security and not use money in new protocols that they can’t afford to lose.

Author: