BlockSec: FutureSwap Protocol on Arbitrum Under Attack Again, Reentrancy Vulnerability Causes Loss of $74,000

Foresight News reports that, according to BlockSec Phalcon monitoring, the Futureswap contract on Arbitrum was attacked again, with an estimated loss of about $74,000. Although the loss is not large, it is worth noting that this attack exposed a new attack surface: reentrancy vulnerability. The attacker stole funds from the protocol through a two-step process that included a three-day cooldown period. The first step is the minting phase, where the attacker exploited the reentrancy vulnerability during liquidity provision by re-entering the 0x5308fcb1 function before the contract updated internal accounts, minting a large amount of LP tokens relative to the actual deposited assets. The second step is the withdrawal phase, where the attacker waited for the mandatory three-day withdrawal cooldown period and then executed the withdrawal, burning the illegally minted LP tokens to exchange for the underlying collateral, effectively stealing assets from the protocol and making a profit.