Furucombo Post-Mortem March 2021
To add an extra layer of protection to Furucombo, we’ve made the following updates:
1. Frontend Feature: Only approve the amount spent.
2. Redeploy Proxy: Make sure the token allowances of users are 0.
- The new proxy contract address: 0xA013AfbB9A92cEF49e898C87C060e6660E050569
*Aave cubes and flashloan are temporarily down as we are undergoing thorough testing.
Dear Furucombo community, DeFi users, and partners, we’d like to share a full update on the recent exploit that took place.
In this post, we will outline what happened during the exploit that occurred on Saturday 27 February 2021, explain who was affected, outline what we are doing and provide the next steps of how we will prevent this from occurring again.
We would like to reassure you that all user funds are safe and the hacker cannot use the same method to attack again.
This weekend, an exploit of a Furucombo platform occurred at 04:47:53 PM UTC on Saturday 27 February 2021. The attack was identified quickly, the community was notified promptly and all affected contracts were disabled.
Who was Affected?
The breach affected 22 Furucombo users’ and resulted in funds, made up of 21 different assets worth US$15million, being stolen by an unknown attacker. Steps are being taken to compensate all users who were affected.
- Furucombo will continue working with the security team to identify the hacker.
- The Furucombo contract system is safe to use now after being patched. The proxy and registry contract will be upgraded to resolve the lending pool integration issue as soon as possible. The Aave V2 cube should return to normal after it has undergone thorough testing this week.
- Furucombo will also continue working with local authorities to investigate the hack and take criminal action, where possible, against the culprit(s).
- Furucombo will also complete several major external audits of the entire Furucombo platform in 2021.
Finally, as Furucombo will continue to integrate with top projects in the DeFi space, the auditing process of all partners will be strengthened and repeated periodically to ensure that there are no compromised parts of the platform from our partners.
Furucombo is committed to compensating all users who were affected. More details on this will be shared as soon as possible.
Our community is the most important part of Furucombo. We are working closely with all affected users to ensure funds are compensated. We stay committed to our mission in building out the most comprehensive DeFi aggregator in the world.
We appreciate your continued support and look forward to moving forward stronger than ever before with the Furucombo community behind us.
Technical Breakdown of Events
Furucombo is based on a flexible composition of any number of components. The proxy contract (current deployment) is the main dispatch switch and allows invoking (in the same storage space, via delegatecall) any number of components. Such invocations can go through external services (e.g., Aave flash loans).
Contracts that are allowed to call the proxy (callers) as well as contracts that are permitted to be called by the proxy (callees) are registered in a registry contract (current deployment) which authorizes any such calls (via calls to function isValid()).
The lists of permitted callers and callees were unified in the proxy contract: the same call (isValid()) was used both to validate who calls into the Furucombo proxy and who gets called by the Furucombo proxy. This allowed delegatecall-ing into the Aave lending pool contracts (v1, v2): the Aave contracts were valid callers but they were also treated as valid callees.
The attack relied on the fact that the Aave v2 lending pool is called via an upgradeability proxy. The proxy stores its implementation on storage location 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc. The attacker delegatecalled into the Aave V2 lending pool proxy, and asked it to initialize  its implementation to the attack contract. Since the “implementation” storage location was that in the Furucombo proxy contract’s storage space, the contents were 0 and the initialization succeeded.
This then allowed the attacker to use the Aave V2 lending pool proxy to delegatecall into the attacker’s implementation contract, which proceeded to drain funds from users who had approved Furucombo’s proxy — e.g., [2,3].
After the compromise was discovered, we immediately removed the Aave v2 lending pool from the registry contract at 05:46:16 PM UTC, as this was the key element of the attack. The attacker’s transaction at 05:55:17 PM UTC was then reverted . Though the handler was not affected, we temporarily paused the function of Aave cubes. The rest of the cubes remain functional.