Arbitrum, an Ethereum L2 scaling solution, has recently undergone a staggering exploit. In this respect, the exploiter has drained a total of $395K from Arbitrum while targeting the Futureswap smart contract. As per the data from BlockSec Phalcon, the exploiter carried out a sequence of diverse operations, including $USDC transfers and flash loans. Hence, the respective exploit has raised fear among the users regarding further imminent losses.
ALERT! Our system detected a suspicious transaction targeting @futureswapx’s contract on #Arbitrum a few hours ago, resulting in an estimated loss of ~$395K. We have attempted to contact the team, but have not received a response so far.The attacker appears to have drained… pic.twitter.com/YPf4vYEqIJ
— BlockSec Phalcon (@Phalcon_xyz) January 10, 2026
Arbitrum Futureswap Exploit Steals $395K in $USDC via Flash Loans
Based on the on-chain data, a cumulative $395,000 has left Arbitrum in an exploit focusing on its Futureswap smart contract. Particularly, the incident comprised a complex series of diverse operations like $USDC transactions and flash loans. Additionally, the exploit seems to have utilized diverse “changePosition” calls, finally enabling the exploiter to extract a notable $USDC amount.
The transfer trace started with the attacker’s “flashLoanSimple” call, requesting 500B $USDC units to Pool V3 of Aave. This triggered a sequence of different delegate calls via “FlashLoanLogic” and “L2PoolInstance.” Hence, this transferred the funds to the exploiter’s contract. Following that, the attacker executed the “executeOperation” call, getting the $USDC loan, apart from a premium of nearly 250M units. The respective exploit has reportedly stemmed from some unexpected shifts in “stableBalance” accounting that took place during former position updates.
Incident Highlights Need for Solid DeFi Protections and Transparency
According to BlockSec Phalcon, the respective flaw may have permitted the exploiter to circumvent collateral restrictions as well as extract $USDC while removing positions. At the moment, the Futureswap team is anticipated to release a public statement addressing the incident. The development highlights the significance of strict accounting protections and transparent contract infrastructure in DeFi platforms. Overall, the investigations are underway to come up with suitable updates for likely remedies.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
SBI Crypto Platform Launches USDC Lending! First Wave 12-Week Period at 10% Annual Interest Rate, Outperforming USD Foreign Currency Fixed Deposits
SBI VC Trade announced the launch of USDC lending services starting March 19, 2026, with an annualized interest rate of up to 10%. This is Japan's first stablecoin lending service, designed to apply digital dollars to yield generation, while emphasizing that users need to bear platform risk. The service complies with Japan's stablecoin legal framework, symbolizing a further increase in the legitimacy and adoption of stablecoins in the local market.
CryptoCity17h ago
A user signed a malicious transaction and lost $200,000; GoPlus alerts users to be cautious of Permit/Approve phishing attacks
Gate News reports that on March 20, according to GoPlus security monitoring, an address starting with 0x9709 signed malicious Permit and Approve transactions, leading to the theft of approximately $200,000 worth of USDC and wmtUSDT by phishing attackers. GoPlus advises users to carefully verify transaction details and contract addresses when signing any on-chain authorization (Approve) or offline signature (Permit) requests, and to avoid signing malicious requests from unknown sources to prevent asset theft.
GateNews21h ago
Solana's stablecoin supply reaches $17.9 billion, a record high, with USDC accounting for over 56%
Solana blockchain stablecoin supply reaches $17.9 billion all-time high, with USDC accounting for over 56%. Its stablecoin transfer volume surpasses Ethereum and Tron, demonstrating efficiency in payments and fund flows, highlighting its competitive advantage amid economic volatility.
GateNews21h ago
MLB Signs Exclusive Polymarket Prediction Market Agreement, US State Regulators at Odds
Major League Baseball (MLB) has reached an exclusive partnership with decentralized prediction market platform Polymarket, with a contract value of up to $300 million, marking a divergence in prediction market regulation. MLB's agreement with Polymarket and the CFTC highlights differing jurisdictional positions between federal and state authorities over prediction markets. If states prevail in litigation, the contract could be terminated to reduce legal liability, which also reflects prediction markets' gradual convergence toward mainstream finance.
MarketWhisper23h ago
Large transfer of 406.8 million USDC occurred between two unknown wallet addresses
Gate News reports that on March 19, on-chain monitoring showed a large USDC transfer between two unknown cryptocurrency wallet addresses, with a transfer amount of 406,839,885 USDC (approximately $406.8 million). The identities of the wallets involved have not been disclosed, and this large transfer has attracted attention from the crypto community.
GateNews03-19 23:47
