Transaction batching protocol Furucombo suffers $14 million “evil contract” hack

[trendcoin]

The latest attack relied on user permissions granted to the protocol

The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds.

Furucombo, a tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users.

The attacker’s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.

This attack is conceptually similar to the $20 million “evil jar” attack that struck Pickle Finance last year, as well as the $37 million “evil spell” exploit that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.

source for more: https://cointelegraph.com/news/transaction-batching-protocol-furucombo-suffers-14-million-evil-contract-hack