# furucombo exploit demonstrated unrestricted delegatecall enabling storage approval manipulation In February 2021, the Furucombo proxy contract performed delegatecall to an address specified by the caller without validating it against an allowlist of approved targets. An attacker exploited this by specifying a malicious contract as the delegatecall target, gaining execution in Furucombo's storage context and modifying token approval mappings. This allowed the attacker to drain $14M in user funds. The exploit is the canonical demonstration of [[unrestricted delegatecall allowing user-specified target addresses enables fund drainage and state manipulation]]. Since [[restricting delegatecall to pre-verified logic contracts prevents arbitrary code execution]], an allowlist check would have prevented the attack entirely. --- Relevant Notes: - [[unrestricted delegatecall allowing user-specified target addresses enables fund drainage and state manipulation]] — the vulnerability pattern - [[restricting delegatecall to pre-verified logic contracts prevents arbitrary code execution]] — the defense that was missing - [[delegatecall executes code from another contract using the callers storage context]] — the mechanism exploited Topics: - [[exploit-analyses]]