Furucombo Will Issue IOU Tokens to Compensate Hack Victims

Key Takeaways

  • Furucombo will issue 5 million iouCOMBO tokens to compensate victims of the hack.
  • The iouCOMBO tokens will have a 360-day linear-vesting period.
  • The team has reported the hacking incident to law enforcement.

The DeFi news category was brought to you by Ampleforth, our preferred DeFi partner

Share this article

Furucombo has announced that they will issue “iouCOMBO” tokens to the victims.

Furucombo to Reimburse Hack

Furucombo was hacked on Feb. 27 for $14 million in ETH and ERC-20 tokens.

This affected 22 users who lost their funds. The team lost $1.74 million of working capital in the hack.

On Mar. 2, the team announced that they had fixed the exploit and subsequently deployed a new proxy smart contract.

Nexo Earn

The team will compensate the victims of the hack by issuing 5 million IOU tokens. These iouCOMBO tokens will be in the form of ERC-20 tokens and represent the right to claim COMBO tokens.

These 5 million tokens will be allocated to the recovery pool. One million of the allocated funds will come from the core team, while the remaining 4 million will come from its community growth fund. This allocation will go live in April after the security audits have been completed.

These iouCOMBO tokens will have a 360-day linear-vesting period.

For example, if Alice has 1,000 iouCOMBO tokens, when she locks-up her iouCOMBO in the recovery pool on April 14th, she will be able to claim 1,000 * (45/360) = 125 COMBO immediately. She can claim the remaining 875 COMBO gradually in the following 315 days.

SIMETRI 10x potential

Additionally, the team has reported the hacking incident to legal authorities. They are cooperating with Certora to get a full audit and are seeking an additional firm so that they can have audits from two different companies.

On Jan.7, Furucombo raised a sum of $1.85 million in their seed round funding.

The market has reacted negatively to this announcement. Furucombo’s native COMBO token price is trading at $2.39, down 18.7% in the past 24 hours.

Disclosure: The author didn’t hold crypto mentioned in this article at the time of press.

The DeFi news category was brought to you by Ampleforth, our preferred DeFi partner

Ampleforth Adaptive Gold Stablecoin

This news was brought to you by ANKR, our preferred DeFi Partner.

Share this article


Tagged : / / /

Transaction batching protocol Furucombo suffers $14 million “evil contract” hack

The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds. 

Furucombo, a tool designed to help users “batch” transactions and interactions with multiple protocols at once, fell victim to the attack which centered on token approvals from users.

The attacker’s address currently has $14 million is various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour.

This attack is conceptually similar to the $20 million “evil jar” attack that struck Pickle Finance last year, as well as the $37 million “evil spell” exploit that hit Alpha Finance earlier this month. In these “evil contract” exploits, an attacker creates a contract that fools a protocol into believing it belongs there, giving them access to protocol funds.

In this case, the attacker ‘tricked’ the Furucombo protocol into thinking that their contract was a new verison of Aave. From there, instead of draining funds from the protocol as in previous evil contract exploits, they instead leveraged the ability to take the funds of every user who had given the protocol token permissions. 

“Infinite permissions means you can wipe everyone who interacted with Furucombo,” said whitehat hacker and co-founder of DeFi Italy in a statement to Cointelegraph.

This exploit type appears to be growing increasingly popular, now accounting for over $70 million in user funds lost in just a few months.

The team confirmed the attack in a Tweet, saying that they “believed” they’d mitigated the exploit but recommended revoking permissions “out of an abundance of caution:”

Users can leverage tools like revoke.cash to do so. 

The attack comes during a period of wider reflection in the DeFi world on security and the utility of auditing companies. In the last three months, three different auditing and code review services have emerged, each with a different incentive model designed to encourage more thorough and dynamic security practices.