Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 024Smart Contract Bug

Furucombo Evil-Contract Delegatecall

Furucombo users lost $14M after the attacker tricked the proxy into delegatecalling a malicious 'Aave v2 implementation' that swept every approved balance.

Date
Victim
Furucombo
Chain(s)
Ethereum
Status
Funds Stolen

On February 27, 2021 at 16:47 UTC, the DeFi transaction-batching protocol Furucombo was exploited for approximately $14 million — drained not from its own treasury but from every user who had granted Furucombo's proxy contract token approvals. The attacker tricked Furucombo's proxy into thinking Aave v2 had received an upgraded implementation, and used delegatecall to execute attacker-controlled code with the privileges of every user.

What happened

Furucombo let users batch DeFi operations into a single transaction — useful for things like "deposit into Aave, then swap on Uniswap, then provide liquidity on Curve, all atomically." To do this, users granted Furucombo's proxy contract token approvals, often with infinite allowance, so the proxy could move their tokens during the batched operations.

Furucombo's proxy supported upgradeable target contracts for the protocols it integrated with. When a protocol upgraded its implementation contract, Furucombo's proxy would route through a new implementation address. The bug: the proxy did not validate that the new "implementation" was actually deployed by the protocol it claimed to integrate with.

The attacker:

  1. Deployed an evil contract — written to look like an Aave v2 implementation upgrade.
  2. Tricked the Furucombo proxy into routing Aave-related calls through the evil contract.
  3. Used the proxy's delegatecall to the evil contract to execute arbitrary code in the proxy's context — including calls to transferFrom() against every user's approved token balance.
  4. Drained the balances of every user holding infinite approvals to Furucombo, sweeping ~$14M across multiple tokens.

Aftermath

  • Furucombo deauthorized the relevant proxy components and recommended affected users revoke all approvals to the proxy.
  • The team published a post-mortem and shipped a redesigned proxy with strict implementation-address allowlists.
  • The stolen funds were laundered through Tornado Cash; no public recovery.

Why it matters

Furucombo is the canonical case for the "evil contract via delegatecall" vulnerability class. Any contract that holds user approvals and can delegatecall to attacker-influenceable targets is one missing-validation away from being a wallet drainer for all of its users. The same pattern reappeared at LI.FI (2024) and many other approval-based aggregators.

The deeper lesson — re-emphasised by Furucombo and every similar incident — is that infinite approvals to upgradeable contracts compound trust forever. Modern wallet UX (Revoke.cash, time-bounded permits via EIP-2612, bounded approval defaults) all exist as direct responses to the Furucombo class of failure.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-furucombo-evil-contract-hack-feb-2021
  2. [02]rekt.newshttps://rekt.news/furucombo-rekt

Related filings