Furucombo

Hacked

DeFi · $COMBO · born 2020 · ✝ 2021

A delegatecall flaw let an attacker impersonate the protocol for ~$14M.

Furucombo was an Ethereum tool that let users build and batch complex DeFi transactions with drag-and-drop legos. In February 2021 an attacker abused a delegatecall flaw in its proxy, tricking it into approving and moving roughly $14M of users' tokens.

Peak: ~$14M stolen
Cause: Hacked
Year of death: 2021

☠️ Cause of death

A misused delegatecall let the attacker set a malicious implementation as if it were a trusted protocol, executing arbitrary logic with the proxy's permissions.

📓 Lessons left behind

—Delegatecall hands your storage and permissions to other code.
—Whitelist and verify every target a proxy can call.
—Convenience abstractions can become privilege-escalation paths.

🌱 The idea that survived

Safe proxy patterns

Reinforced strict target whitelisting and audited delegatecall use in proxy contracts.

#defi#delegatecall#proxy