Futureswap exploited again as hackers steal $74,000 via reentrancy bug

Decentralized leverage trading platform Futureswap has been exploited for a second time in four days, with the hackers stealing an estimated $74,000 this time around.

Blockchain security firm BlockSec Phalcon disclosed the second attack on X, revealing that attackers had exploited a new vulnerability in the same contract they had targeted just days earlier. The security firm noted that “while the loss is not large, the interesting part is that a new attack surface appeared: a reentrancy vulnerability.”

The attacker employed a two-step process involving Futureswap’s mandatory three-day cooldown period to systematically drain funds.

According to Phalcon, BlockSec’s threat detection platform, the attacker first re-entered the 0x5308fcb1 function before the contract updated its internal accounting. Then the “attacker minted an excessive amount of LP tokens relative to the assets actually deposited.”

After waiting out the withdrawal cooldown, the attacker burned the illicitly minted tokens to redeem the underlying collateral, effectively siphoning assets from the protocol along with the profit.

Futureswap is hacked for the third time in one month

The latest attack comes a few days after the platform lost over $395,000 in an exploit that popped up BlockSec’s Phalcon’s radar. The attackers that participated in that exploit stole the funds through multiple changePosition operations. That incident appeared related to unexpected stableBalance accounting changes during position updates that later allowed USDC to be released when removing collateral.

Futureswap also suffered a governance attack in December 2025 that netted attackers at least $830,000. In that incident, hackers used a flash loan to temporarily borrow governance tokens, gaining voting power to pass a malicious proposal that transferred funds from the protocol.

Futureswap has so far lost over $1 million cumulatively across three separate attacks that have leveraged different vulnerabilities on the platform.

Legacy DeFi protocols under siege

The Futureswap incidents form part of the over $27 million lost to hackers who continue to target legacy DeFi platforms into 2026.

Other Arbitrum-based protocols have suffered similar fates in recent weeks. In early January, USDGambit and TLP lost $1.5 million when attackers gained admin access and deployed malicious smart contracts. TMX Tribe suffered a $1.4 million exploit, while the IPOR Fusion USDC vault lost $336,000 through a legacy contract vulnerability, though it has pledged to fully reimburse affected users.

Despite the security breaches that have hit protocols based on Arbitrum, the layer-2 blockchain still holds over $3.1 billion in total value locked in DeFi, which some analysts may say is part of what makes it an attractive target for attackers.

The network has remained near the top position among Ethereum Layer-2 solutions in terms of total value locked since launching in 2021.

What’s going on at the Futureswap camp?

Nobody on the Futureswap team has released a statement concerning the exploits. The last post on the platform’s X account dates to 2023, and the protocol is said to have been last audited in 2021.

The case raises difficult questions about responsibility when protocols are abandoned but continue to hold user funds. Security experts recommend that teams either properly deprecate and sunset legacy contracts or conduct fresh security audits and verify source code.

Users, meanwhile, are advised to withdraw assets from older contracts showing signs of abandonment.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program