Verify a decision

{"actor":"system:backfill","investigation_id":"6d3ecece-e2c4-4c16-98dd-88ea42f5b143","kind":"publish","page_slug":"furucombo","published_at":"2026-05-19T21:12:23.357Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Furucombo","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://furucombo.app/"},{"credibility":3,"name":"","type":"other","url":"https://docs.furucombo.app/"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/token/0xfFffFffF2ba8F66D4e51811C5190992176930278"},{"credibility":3,"name":"","type":"other","url":"https://finematics.com/how-to-use-furucombo/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://medium.com/furucombo/furucombo-post-mortem-march-2021-ad19afd415e"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-furucombo-evil-contract-hack-feb-2021"},{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/defi-tx-bundler-furucombo-hacked-14-million/"},{"credibility":3,"name":"","type":"other","url":"https://x.com/creamdotfinance/status/1365778386849726466"},{"credibility":3,"name":"","type":"other","url":"https://www.vidma.io/blog/the-furucombo-hack-a-14-million-lesson-in-smart-contract-vulnerabilities"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0xb624e2b10b84a41687caec94bdd484e48d76b212"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0x52F9eea36F57d86A0F051419Fd11e4A256359C8f"},{"credibility":3,"name":"","type":"other","url":"https://etherscan.io/address/0x9901bac880caecad999e292811db9c1db3e86f8a"},{"credibility":3,"name":"","type":"other","url":"https://www.coinspect.com/learn-evm-attacks/cases/furucombo/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/furucombo-will-issue-iou-tokens-compensate-hack-victims/"},{"credibility":3,"name":"","type":"other","url":"https://medium.com/furucombo/furucombo-post-mortem-march-2021-ad19afd415e"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/furucombo-to-issue-ioucombo-tokens-to-repay-victims-of-15m-attack"},{"credibility":3,"name":"","type":"other","url":"https://defillama.com/protocol/furucombo"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-furucombo-evil-contract-hack-feb-2021"},{"credibility":3,"name":"","type":"other","url":"https://www.vidma.io/blog/the-furucombo-hack-a-14-million-lesson-in-smart-contract-vulnerabilities"},{"credibility":3,"name":"","type":"other","url":"https://www.quadrigainitiative.com/casestudy/furucombodefihack.php"},{"credibility":3,"name":"","type":"other","url":"https://cryptobriefing.com/furucombo-will-issue-iou-tokens-compensate-hack-victims/"}]}],"sources_used":[],"summary":"Furucombo is an Ethereum-based DeFi composability protocol launched in March 2020 that enables users to batch complex multi-protocol transactions via a drag-and-drop interface. On February 27, 2021, the protocol suffered a critical 'evil contract' exploit in which an attacker spoofed a new Aave v2 implementation via Furucombo's proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 users who had granted standing token approvals to the platform. The team responded with a compensation plan issuing iouCOMBO tokens subject to a 360-day vesting schedule, but the incident exposed fundamental risks in delegatecall-based proxy architectures and broad token approval models.","timeline":[{"date":"2020-03-01","event":"Furucombo launches on Ethereum mainnet as a DeFi composability and transaction batching platform.","source":""},{"date":"2021-02-27","event":"At approximately 16:47 UTC, an attacker deploys an evil contract and exploits Furucombo's proxy via an uninitialized Aave v2 upgradeable proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 user addresses in under one hour.","source":""},{"date":"2021-02-27","event":"Cream Finance confirms its treasury lost $1.1 million in the Furucombo attack via a public Twitter post.","source":""},{"date":"2021-02-27","event":"At approximately 17:46 UTC, Furucombo removes the Aave v2 lending pool from its registry contract, halting the attack approximately 59 minutes after it began.","source":""},{"date":"2021-02-27","event":"Attacker begins moving stolen funds through Tornado Cash to obscure on-chain trail. Attacker address 0xb624e2b10b84a41687caec94bdd484e48d76b212 holds ~4,560 ETH and ~$7M in ERC-20 tokens post-attack.","source":""},{"date":"2021-03-01","event":"Furucombo publishes post-mortem, acknowledges vulnerability, commits to compensating all affected users, and deploys replacement proxy contract at 0xA013AfbB9A92cEF49e898C87C060e6660E050569.","source":""},{"date":"2021-03-08","event":"Furucombo announces iouCOMBO token compensation plan: 5 million iouCOMBO tokens (1M from core team, 4M from community fund) subject to a 360-day linear vesting schedule starting March 1, 2021.","source":""},{"date":"2021-04-01","event":"iouCOMBO tokens scheduled for distribution to hack victims following completion of security audits. COMBO token price had fallen approximately 18.7% within 24 hours of the compensation announcement.","source":""}]},"v":1}