Reentrancy vulnerability not fixed, FutureSwap suffers consecutive attacks with a loss of $74,000

The FutureSwap protocol deployed on Arbitrum experienced two hacking incidents within just four days. According to blockchain security firm BlockSec’s analysis, after the first attack on January 10, the protocol was targeted again on January 11, resulting in a loss of approximately $74,000. More concerning is that both attacks exploited the same reentrancy vulnerability, indicating that the remedial measures taken after the first attack may not have fully addressed the core issue.

Attack Method Analysis

Vulnerability Principle

Reentrancy vulnerabilities are among the most common and dangerous security risks in DeFi protocols. In this incident involving FutureSwap, the vulnerability was in the reentrant function 0x5308fcb1. The attacker exploited this entry point, leveraging a logical flaw in the protocol during interaction.

Specific Attack Steps

• Triggered an exception call via reentrant function 0x5308fcb1
• Repeatedly called functions during contract execution, bypassing balance checks
• Over-minted LP tokens (liquidity provider tokens)
• Waited for the cooldown period to end and redeemed the over-collateralized assets
• Achieved profit extraction

The key to this attack method lies in the time gap: the attacker accumulated fake LP positions during the cooldown period, then legally redeemed assets after the system was unfrozen. On the surface, this appears as a normal transaction, but in reality, the assets obtained far exceeded what was legitimately owed.

Impact Assessment

Threat to FutureSwap

The consecutive attacks suggest that the security fixes for the protocol may be flawed. After the first attack, the project team likely conducted urgent audits and patch updates, yet the second attack still succeeded, implying:

• The initial fix may have been incomplete
• Other similar vulnerabilities might exist
• The cooldown mechanism itself may need to be redesigned

User Funds Risk

Although the loss was “only” $74,000, for a protocol with questionable security, this significantly undermines user confidence. Users with funds in the protocol face not only direct financial loss but also liquidity risks.

Industry Insights

From a personal perspective, this incident reveals several real issues within the DeFi ecosystem:

First, the lag in security audits. Many protocols undergo audits before launch, but hackers often find overlooked angles. While reentrancy is not a new concept, it remains a “common weapon” for attackers.

Second, the pressure for rapid fixes. When vulnerabilities are discovered, project teams need to complete repairs, audits, and deployments in a very short time, which can lead to oversights under high pressure.

Third, users’ due diligence responsibilities. Even audited protocols can carry risks; users must be responsible for their own funds.

Summary

The consecutive attacks on FutureSwap highlight that reentrancy vulnerabilities remain a major threat in DeFi protocols. This issue is not only specific to this protocol but is a warning for the entire ecosystem. For users, it’s necessary to reassess the security of the protocol and consider whether to continue using it; for the industry, stricter security standards and faster emergency response mechanisms are needed. Currently, attention should be on whether the protocol will undergo more thorough security upgrades and whether other affected users will be compensated.