FutureSwap Credential Disclosure

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

FutureSwap

FutureSwap is a decentralized exchange that operates on Arbitrum, a layer 2 solution to scale ethereum. One of the users who held over 300,000 FST (valued ~$798k USD) suffered an account breach and their funds were stolen. Details of the specific breach method were not located. The protocol apparently paused the smart contract, bringing their system offline for 24-48 hours, in order to restore the funds.

This is a global/international case not involving a specific country. ^[1][2]

About FutureSwap

^{[3][4][5][6][7][8][9][10]}

"The Future of Perpetuals Is Here. Leverage on any tokens with a protocol trusted with billions for its price execution, super low fees and reliability." "Take full control of your crypto. Built on Ethereum, our non-custodial perpetuals exchange focuses on one thing: being the best execution environment for trades."

"Futureswap is a decentralized non-custodial perpetual protocol where users can gain leveraged exposure on assets. Liquidity providers (LPs) deposit liquidity in order to earn passive income from trading fees and FST incentives. This liquidity is utilized by the Futureswap protocol and other automated market makers (AMMs) under the hood to create leveraged exposure. Realistically, Futureswap operates as a lending protocol as no leverage contracts are being created but only LPs lending funds while holding collateral."

"Take full advantage of everything Layer 2 has to offer. Say goodbye to eye-watering gas fees. Get your money in an instant with superfast withdrawals. Stay completely secure with optimistic rollups. Execute your trades instantly. Trade from any device. Gain leveraged exposure on limitless assets."

"We have all been in this industry too long not to make the security of your funds our absolute top priority. That’s why, so far, we’ve spent upwards of $450k on audits from Open Zeppelin and Trail of Bits, as well as code reviews from white hats."

The Reality

TBD

What Happened

"The credentials for [a FutureSwap] account were compromised by human error, and the attacker was able to gain access on Arbitrum and transfer the available reward FST to himself."

Technical Analysis

^[10][12]

"The credentials for [a FutureSwap] account were compromised by human error, and the attacker was able to gain access on Arbitrum and transfer the available reward FST to himself."

Total Amount Lost

The total amount lost has been estimated at $798,000 USD.^[5][7]

Immediate Reactions

Twitter Post About Breach

Future Swap shared about the incident on Twitter and announced their plans to migrate the contract^[11][12].

1/ Last night, an account with access to a reserve of ~300,000 FST for rewards (0.3% of the supply) was compromised. We took action to remove control of the compromised FST by migrating the FST contract on Arbitrum.

2/ The credentials for this account were compromised due to human error. The attacker was able to gain access and transfer the available rewards FST to themselves on Arbitrum.

3/ Mainnet FST is unaffected. Arbitrum FST has been redeployed to the state before the withdrawal using a new contract. The FST Arbitrum bridge is currently disabled, and we plan to restore it within 24 to 48 hours.

4/ The new Arbitrum FST contract is https://arbiscan.io/token/0x90e81b81307ece4257c1bb74bea94f5232cece53…. The old one (0x488cc08935458403a0458e45e20c0159c8ab2c92) is no longer valuable and should not be traded.

5/ Trust and security are always our top priority. Our contracts are heavily audited and we are always improving our internal processes. Though the surface area of this attack was small, it’s a reminder that we can never be too careful.

"Decentralized derivatives trading platform FutureSwap tweeted that an account with around 300,000 FST reward reserves (0.3% of supply) was compromised yesterday." "Last night, an account with access to a reserve of ~300,000 FST for rewards (0.3% of the supply) was compromised."

"We took action to remove control of the compromised FST by migrating the FST contract on Arbitrum." "Mainnet FST is unaffected. Arbitrum FST has been redeployed to the state before the withdrawal using a new contract." "Currently Arbitrum FST has used the new contract to take control of the compromised FST, the FST Arbitrum bridge is currently disabled and is scheduled to be restored within 24 to 48 hours."

Ultimate Outcome

Switching To A New Smart Contract

^[12]

"The new Arbitrum FST contract [has been deployed]. The old one is no longer valuable and should not be traded."

Total Amount Recovered

The total amount recovered has been estimated at $798,000 USD.

Ongoing Developments

TBD

Individual Prevention Policies

The loss could have been prevented through better safeguarding of the private key.

Preventing Loss Of Funds

Users have a responsibility to safeguard their private key and avoid compromise through not sharing their seed phrase, exercising diligence for all transactions, and use a controlled secure environment to access cryptocurrency.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Safety With Smart Contracts

No other funds were reported lost in this case, however access to funds stored on the smart contract was restricted during the failure period.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This situation could be avoided by providing additional education for users to help improve their security.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

An industry insurance fund could assist users affected by account breaches.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This situation could be avoided by providing additional education for users to help improve their security.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

An industry insurance fund could assist users affected by account breaches.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References