Editor's Note: This article comes fromPeckShield（ID：PeckShield）, reprinted by Odaily with authorization.

Editor's Note: This article comes from

, reprinted by Odaily with authorization.

In the early hours of February 28th, Beijing time, a serious vulnerability appeared in the Furucombo smart contract, an Ethereum protocol combination tool. Attackers have made more than $14 million from exploiting this vulnerability.

PeckShield analysis found that this vulnerability is the same as the vulnerability that appeared in Primitive Finance a few days ago, and it is related to the user's unlimited authorization.

Because Cream Finance did not revoke all authorizations to external contracts from the wallet in a timely manner, it was affected by this vulnerability, resulting in a loss of approximately $1.1 million."

Launched in March 2020, the DeFi aggregator Furucombo initially only supported Uniswap V1 transactions and Compound supply functions. In December 2020, Furucombo added protocols such as Uniswap, Compound and Aave.

Its CEO Hsuan-Ting Chu once said: "Furucombo is different from 1inch and Yearn Finance. Furucombo aggregates various DeFi protocols. With Furucombo, all are 'permissionless'.

At the same time, Furucombo allows users to make unsecured quick loans and borrow any amount of assets.

Through tracking and analysis, PeckShield found that the Furucombo protocol is Lego-like, and this vulnerability is related to the user's unlimited authorization. First, the attacker creates an attack smart contract and runs it in the vulnerable Furucombo agent;

Furucombo calls the AaveLendingPoolv2 function in the whitelist, and attaches the address of the attack contract in the function, and calls the AaveLendingPoolv2::initialize() function, which can further call the provided attack contract;

Finally, if the user does not revoke the authorization, the attacker can steal the assets in the user's wallet by attacking the Furucombo proxy.

Led by liquidity mining, DeFi will take off again in 2020 and become the focus of financial innovation, with more and more diverse ways to play in this field. Since various valuable assets are stored in the protocol, DeFi has also become the hardest hit area to be attacked.

PeckShield security experts said: “DeFi aggregator Furucombo has played Lego to the extreme, but the audit of each link is even more important. New combinations will continue to change and adapt, which requires regular and continuous monitoring of contracts. security audits instead of ticking the boxes before launching."

When dealing with assets, authorize carefully. DeFi is going through a period of unprecedented growth where the cost of trust is very high.