Futureswap (reentrancy)

Method: Reentrancy during liquidity provision → excess LP mint → 3-day cooldown wait → burn for redemption. Root cause: Days after the changePosition exploit, a separate reentrancy primitive was used. During Futureswap's addLiquidity flow, the LP-mint accounting was performed before all external-call effects had settled, allowing the attacker to re-enter and trigger additional LP-token issuance against the same deposited collateral. With excess LP minted to the attacker's address, the attacker then waited out Futureswap's mandatory 3-day cooldown on withdrawals before burning the illegally-minted LP tokens to redeem the underlying collateral in a second transaction. Net loss ~$74K, marking the platform's third attack within roughly a month and pushing cumulative Futureswap losses past $1M. Classic CEI (Checks-Effects-Interactions) violation; structurally visible in the deployed bytecode as a CALL-or-EVENT preceding the relevant state write in the LP-mint dispatcher. Narrative: Futureswap's second attack of the month exploited a reentrancy vulnerability in the addLiquidity flow on Arbitrum. The attacker re-entered during LP token minting to receive more LP than their actual deposit warranted, then waited 3 days for Futureswap's mandatory withdrawal cooldown before burning the excess LP for collateral redemption. ~$74K extracted in this leg. Followed by a third attack later in the month; cumulative losses across all three exceeded $1M. Notes: Date approximate — sources say 'days after' the Jan 10 exploit. 3-day cooldown was the attacker's exit constraint, not a defensive primitive. Closed-source contract.