Skip to main content
Sign in
Furucombo1 decision on this page

Audit log

Every state-changing event for Furucombo: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-19 21:12:23Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 420,848,172
    sig
    2Xxsbbzdwhqz…5PN1aKWfexplorer ↗
    hash
    28NW7BZR1ovR…qfj6AAjKsha256 → base58
    verifying row…full verify ↗
    canonical bytes (5594 B) ▸
    {"actor":"system:backfill","investigation_id":"6d3ecece-e2c4-4c16-98dd-88ea42f5b143","kind":"publish","page_slug":"furucombo","published_at":"2026-05-19T21:12:23.357Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Furucombo","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://furucombo.app/"},{"credibility":3,"name":"","type":"other","url":"https://docs.furucombo.app/"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/token/0xfFffFffF2ba8F66D4e51811C5190992176930278"},{"credibility":3,"name":"","type":"other","url":"https://finematics.com/how-to-use-furucombo/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://medium.com/furucombo/furucombo-post-mortem-march-2021-ad19afd415e"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-furucombo-evil-contract-hack-feb-2021"},{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/defi-tx-bundler-furucombo-hacked-14-million/"},{"credibility":3,"name":"","type":"other","url":"https://x.com/creamdotfinance/status/1365778386849726466"},{"credibility":3,"name":"","type":"other","url":"https://www.vidma.io/blog/the-furucombo-hack-a-14-million-lesson-in-smart-contract-vulnerabilities"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0xb624e2b10b84a41687caec94bdd484e48d76b212"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0x52F9eea36F57d86A0F051419Fd11e4A256359C8f"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0x9901bac880caecad999e292811db9c1db3e86f8a"},{"credibility":3,"name":"","type":"other","url":"https://www.coinspect.com/learn-evm-attacks/cases/furucombo/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/furucombo-will-issue-iou-tokens-compensate-hack-victims/"},{"credibility":3,"name":"","type":"other","url":"https://medium.com/furucombo/furucombo-post-mortem-march-2021-ad19afd415e"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/furucombo-to-issue-ioucombo-tokens-to-repay-victims-of-15m-attack"},{"credibility":3,"name":"","type":"other","url":"https://defillama.com/protocol/furucombo"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-furucombo-evil-contract-hack-feb-2021"},{"credibility":3,"name":"","type":"other","url":"https://www.vidma.io/blog/the-furucombo-hack-a-14-million-lesson-in-smart-contract-vulnerabilities"},{"credibility":3,"name":"","type":"other","url":"https://www.quadrigainitiative.com/casestudy/furucombodefihack.php"},{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/furucombo-will-issue-iou-tokens-compensate-hack-victims/"}]}],"sources_used":[],"summary":"Furucombo is an Ethereum-based DeFi composability protocol launched in March 2020 that enables users to batch complex multi-protocol transactions via a drag-and-drop interface. On February 27, 2021, the protocol suffered a critical 'evil contract' exploit in which an attacker spoofed a new Aave v2 implementation via Furucombo's proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 users who had granted standing token approvals to the platform. The team responded with a compensation plan issuing iouCOMBO tokens subject to a 360-day vesting schedule, but the incident exposed fundamental risks in delegatecall-based proxy architectures and broad token approval models.","timeline":[{"date":"2020-03-01","event":"Furucombo launches on Ethereum mainnet as a DeFi composability and transaction batching platform.","source":""},{"date":"2021-02-27","event":"At approximately 16:47 UTC, an attacker deploys an evil contract and exploits Furucombo's proxy via an uninitialized Aave v2 upgradeable proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 user addresses in under one hour.","source":""},{"date":"2021-02-27","event":"Cream Finance confirms its treasury lost $1.1 million in the Furucombo attack via a public Twitter post.","source":""},{"date":"2021-02-27","event":"At approximately 17:46 UTC, Furucombo removes the Aave v2 lending pool from its registry contract, halting the attack approximately 59 minutes after it began.","source":""},{"date":"2021-02-27","event":"Attacker begins moving stolen funds through Tornado Cash to obscure on-chain trail. Attacker address 0xb624e2b10b84a41687caec94bdd484e48d76b212 holds ~4,560 ETH and ~$7M in ERC-20 tokens post-attack.","source":""},{"date":"2021-03-01","event":"Furucombo publishes post-mortem, acknowledges vulnerability, commits to compensating all affected users, and deploys replacement proxy contract at 0xA013AfbB9A92cEF49e898C87C060e6660E050569.","source":""},{"date":"2021-03-08","event":"Furucombo announces iouCOMBO token compensation plan: 5 million iouCOMBO tokens (1M from core team, 4M from community fund) subject to a 360-day linear vesting schedule starting March 1, 2021.","source":""},{"date":"2021-04-01","event":"iouCOMBO tokens scheduled for distribution to hack victims following completion of security audits. COMBO token price had fallen approximately 18.7% within 24 hours of the compensation announcement.","source":""}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision d95e0c36-ec59-4043-a844-393e368fb036
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.