Furucombo

2020-03-01

Furucombo launches on Ethereum mainnet as a DeFi composability and transaction batching platform.

2021-02-27

At approximately 16:47 UTC, an attacker deploys an evil contract and exploits Furucombo's proxy via an uninitialized Aave v2 upgradeable proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 user addresses in under one hour.

2021-02-27

Cream Finance confirms its treasury lost $1.1 million in the Furucombo attack via a public Twitter post.

2021-02-27

At approximately 17:46 UTC, Furucombo removes the Aave v2 lending pool from its registry contract, halting the attack approximately 59 minutes after it began.

2021-02-27

Attacker begins moving stolen funds through Tornado Cash to obscure on-chain trail. Attacker address 0xb624e2b10b84a41687caec94bdd484e48d76b212 holds ~4,560 ETH and ~$7M in ERC-20 tokens post-attack.

2021-03-01

Furucombo publishes post-mortem, acknowledges vulnerability, commits to compensating all affected users, and deploys replacement proxy contract at 0xA013AfbB9A92cEF49e898C87C060e6660E050569.

2021-03-08

Furucombo announces iouCOMBO token compensation plan: 5 million iouCOMBO tokens (1M from core team, 4M from community fund) subject to a 360-day linear vesting schedule starting March 1, 2021.

2021-04-01

iouCOMBO tokens scheduled for distribution to hack victims following completion of security audits. COMBO token price had fallen approximately 18.7% within 24 hours of the compensation announcement.