Authors: @danimimm (danimim.eth), @guiribabrb (guiriba.eth)

We thank lzhou1110 and hklst4r for their analysis — without which we would not have become aware of the attack on Futureswap.

For centuries, the English Treasury recorded debts using wooden tally sticks. The system worked so well that it stopped being questioned: each tally was split lengthwise into two matching halves, creating a physical record that could only be validated by reuniting the originals. Forgery required reproducing an exact, irregular fit, which was practically impossible.

When it was finally abandoned, thousands of forgotten tallies were burned beneath the Houses of Parliament. The fire spread and destroyed much of Westminster in 1834.

The system did not fail because it was attacked, but because no one was watching it anymore.

What happened at Futureswap on the night of December 16, 2025 echoed a similar pattern.

Future Swap is a protocol that allows investors to use leverage on any token. It has two types of users: (1) liquidity providers and (2) traders seeking leveraged exposure.

The protocol is governed by holders of its governance token, $FST. It operates as a DAO.

Yesterday, U$250K was stolen from its contracts due to a governance vulnerability. This money did not belong to the DAO itself, but to users who had funds deposited in Futureswap.

To understand how the attack happened, we first need to look at a core crypto primitive: flash swaps.

Decentralized exchanges allow users to buy and sell tokens within the same block without needing upfront capital. You effectively “borrow” funds from a liquidity pool and repay this “loan” within a single transaction.

Some of the main use cases for this functionality include (1) token arbitrage, (2) executing multiple operations in a single transaction, and even (3) gaining leveraged exposure to other tokens.

Flash swaps, like flash loans (which are similar but exist in lending markets), are primarily used by bots to arbitrage tokens. Unfortunately, they are also tools frequently used by hackers to exploit and drain protocols — in this case, DAOs.

In a flash loan or flash swap attack against a DAO, the attacker borrows millions of dollars’ worth of governance tokens to gain enough voting power to pass any proposal within the DAO. This grants them the ability to change security parameters, drain the DAO’s treasury, and even steal funds from protocol users.

This is possible because governance contracts commonly take a snapshot of voting power at a specific point in time. The goal is to ensure that members’ voting power does not fluctuate during an active vote.

What a flash loan or flash swap attack exploits is this exact mechanism: the attacker borrows tokens precisely in the block where the governance snapshot is taken. The loan lasts only one block (around 12 seconds on Ethereum), has a near-zero cost, and can temporarily make the attacker one of the most powerful members of the DAO.

Beanstalk is a well-known case of a governance attack using flash loans — and Futureswap met a similar fate.

In the Futureswap attack, the hacker executed a flash swap of $FST on Uniswap v2 exactly at the moment the DAO snapshot was taken, which happens when a proposal is submitted to governance.

As a result, the attack followed three steps: (1) submitting a proposal to (2) trigger the snapshot and, within the same transaction, (3) executing a flash swap of enough $FST to become one of the addresses with the highest voting power in Futureswap.

In the block following the submission of the malicious proposal, the attacker controlled 10% of the circulating supply. With this voting power, they were able to decide the outcome of any proposal in the DAO.

In this case, the attacker used that power to drain funds belonging to Future Swap users — a total of U$250K.

This makes it clear that the critical flaw in Future Swap was its “snapshot” function.

Today, governance contracts include protections against flash loans to prevent attacks like this one. These protections include:

function propose(
        address[] memory targets,
        uint256[] memory values,
        bytes[] memory calldatas,
        string memory description
    ) public virtual override returns (uint256) {
        require(
            getVotes(_msgSender(), block.number - 1) >= proposalThreshold(),
            "Governor: proposer votes below proposal threshold"
        );

Snippet of the flash loan protection in the Arbitrum governance contract.

• A snapshot that records voting power at a block prior to proposal submission. This way, if a flash loan is executed in the same block, it is not taken into account — because the relevant voting power is fixed in the “past.”

• A snapshot taken after a predefined period known as the Voting Delay. With a Voting Delay, governance participants have time to coordinate and respond to potential attacks or issues with a proposal.

Both mechanisms are standard security in the governance contracts of the largest DAOs in the industry, such as Uniswap, Compound, Aave, and ENS.

One of the key parameters evaluated by Anticapture when auditing a DAO’s governance is its protection against flash loan or flash swap attacks. None of the DAOs we have analyzed so far have failed this test — all of them include safeguards against attacks like the one carried out on Futureswap.

However, these are large, well-established DAOs. Smaller projects may not benefit from the same level of security in their governance design or code — and this poses a serious risk to users and to the broader ecosystem.

Recent incidents across DeFi point to structural patterns beyond protocol-specific failures or any single incident.

Without speculating on timing or intent, and without attributing causality where evidence is still incomplete, it is still possible to observe recurring structural characteristics across recent events:

• Balancer: exploit leveraging batch swaps with deferred settlement in the V2 Vault, where composable stable pool mechanics and rounding behavior in EXACT_OUT swaps allowed liquidity to be reduced to extreme levels.

• Yearn: incident in a custom yETH stableswap pool, based on modified stableswap code, resulting in excessive minting of yETH; isolated from Yearn V2/V3 vaults but leading to approximately $9M in losses across affected pools.

All point to a common direction: risk is no longer concentrated where attention traditionally lies.

Two dimensions are particularly worth examining:

A recurring pattern in modern exploits is the targeting of components that are not new, not actively evolving, and not central to day-to-day operations, but that still custody value.

These are not necessarily deprecated systems, but systems that have become background infrastructure: older contracts, legacy libraries, rarely exercised code paths, governance mechanisms assumed to be settled, or features that “worked fine for years”. In each case, the vulnerability was not hidden. It was simply no longer salient.

Certain attack paths existed in theory, but not in practice: they required levels of combinatorial exploration, cross-domain reasoning, or exhaustive simulation that were simply not economically viable. As a result, these risks did not meaningfully exist at the human surface.

AI introduces a new category of risk: AI expands what is economically and cognitively feasible. It enables continuous analysis across abandoned codebases, systematic exploration of state spaces (far) beyond human reach, and adversarial recombination of known primitives at scale. Patterns that once required prohibitive effort become accessible, repeatable, and persistent.

What was previously invisible becomes legible, and what was once theoretical becomes actionable.

Risk assessment is often discussed as if it were exhaustive, continuous, and evenly distributed across the ecosystem. In reality, it is constrained by time, attention, incentives, and visibility. Anticapture and similar efforts operate inside those constraints.

Risk assessors do not operate in a vacuum. They operate inside an ecosystem whose incentives are heavily skewed toward expansion, such as like:

• Token launches and airdrops,

• Protocol growth and integrations

• New chains, new deployments, and new surfaces

This creates a structural race against time. Risk assessment competes with growth narratives for limited attention, and legibility across the ecosystem remains uneven by design. In that context, risk does not disappear. It accumulates.

Non–open-source systems significantly limit pre-incident analysis.

In the case of Futureswap, the lack of open-source contracts materially constrained pre-incident analysis. Without access to code, assessors are limited to behavioral inference. This raises an uncomfortable but necessary question: What security assumptions remain unverifiable in closed-source systems?

Without source code, assessment becomes probabilistic rather than structural, and mitigation shifts from prevention to post-hoc interpretation.

A final constraint is more fundamental: some DAOs and protocols exist outside the shared field of awareness. Risk assessment assumes a known universe of systems. In practice, that universe is incomplete.

When a DAO or a protocol is effectively invisible to most participants, mitigation becomes reactive by default. One cannot assess what one does not know exists. Discovery itself becomes part of the risk surface.

We are evaluating the feasibility of identifying systems that remain live but fall outside active awareness. This includes dormant DAOs, legacy deployments, and under-observed components that continue to custody value. The objective is not post-incident analysis, but reducing the likelihood of failures that result in material losses for users and protocols.

Visibility does not always guarantee safety, but the absence of visibility consistently precedes governance capture.

Authors: @danimimm (danimim.eth), @guiribabrb (guiriba.eth)

We thank lzhou1110 and hklst4r for their analysis — without which we would not have become aware of the attack on Futureswap.

For centuries, the English Treasury recorded debts using wooden tally sticks. The system worked so well that it stopped being questioned: each tally was split lengthwise into two matching halves, creating a physical record that could only be validated by reuniting the originals. Forgery required reproducing an exact, irregular fit, which was practically impossible.

When it was finally abandoned, thousands of forgotten tallies were burned beneath the Houses of Parliament. The fire spread and destroyed much of Westminster in 1834.

The system did not fail because it was attacked, but because no one was watching it anymore.

What happened at Futureswap on the night of December 16, 2025 echoed a similar pattern.

Future Swap is a protocol that allows investors to use leverage on any token. It has two types of users: (1) liquidity providers and (2) traders seeking leveraged exposure.

The protocol is governed by holders of its governance token, $FST. It operates as a DAO.

Yesterday, U$250K was stolen from its contracts due to a governance vulnerability. This money did not belong to the DAO itself, but to users who had funds deposited in Futureswap.

To understand how the attack happened, we first need to look at a core crypto primitive: flash swaps.

Decentralized exchanges allow users to buy and sell tokens within the same block without needing upfront capital. You effectively “borrow” funds from a liquidity pool and repay this “loan” within a single transaction.

Some of the main use cases for this functionality include (1) token arbitrage, (2) executing multiple operations in a single transaction, and even (3) gaining leveraged exposure to other tokens.

Flash swaps, like flash loans (which are similar but exist in lending markets), are primarily used by bots to arbitrage tokens. Unfortunately, they are also tools frequently used by hackers to exploit and drain protocols — in this case, DAOs.

In a flash loan or flash swap attack against a DAO, the attacker borrows millions of dollars’ worth of governance tokens to gain enough voting power to pass any proposal within the DAO. This grants them the ability to change security parameters, drain the DAO’s treasury, and even steal funds from protocol users.

This is possible because governance contracts commonly take a snapshot of voting power at a specific point in time. The goal is to ensure that members’ voting power does not fluctuate during an active vote.

What a flash loan or flash swap attack exploits is this exact mechanism: the attacker borrows tokens precisely in the block where the governance snapshot is taken. The loan lasts only one block (around 12 seconds on Ethereum), has a near-zero cost, and can temporarily make the attacker one of the most powerful members of the DAO.

Beanstalk is a well-known case of a governance attack using flash loans — and Futureswap met a similar fate.

In the Futureswap attack, the hacker executed a flash swap of $FST on Uniswap v2 exactly at the moment the DAO snapshot was taken, which happens when a proposal is submitted to governance.

As a result, the attack followed three steps: (1) submitting a proposal to (2) trigger the snapshot and, within the same transaction, (3) executing a flash swap of enough $FST to become one of the addresses with the highest voting power in Futureswap.

In the block following the submission of the malicious proposal, the attacker controlled 10% of the circulating supply. With this voting power, they were able to decide the outcome of any proposal in the DAO.

In this case, the attacker used that power to drain funds belonging to Future Swap users — a total of U$250K.

This makes it clear that the critical flaw in Future Swap was its “snapshot” function.

Today, governance contracts include protections against flash loans to prevent attacks like this one. These protections include:

function propose(
        address[] memory targets,
        uint256[] memory values,
        bytes[] memory calldatas,
        string memory description
    ) public virtual override returns (uint256) {
        require(
            getVotes(_msgSender(), block.number - 1) >= proposalThreshold(),
            "Governor: proposer votes below proposal threshold"
        );

Snippet of the flash loan protection in the Arbitrum governance contract.

• A snapshot that records voting power at a block prior to proposal submission. This way, if a flash loan is executed in the same block, it is not taken into account — because the relevant voting power is fixed in the “past.”

• A snapshot taken after a predefined period known as the Voting Delay. With a Voting Delay, governance participants have time to coordinate and respond to potential attacks or issues with a proposal.

Both mechanisms are standard security in the governance contracts of the largest DAOs in the industry, such as Uniswap, Compound, Aave, and ENS.

One of the key parameters evaluated by Anticapture when auditing a DAO’s governance is its protection against flash loan or flash swap attacks. None of the DAOs we have analyzed so far have failed this test — all of them include safeguards against attacks like the one carried out on Futureswap.

However, these are large, well-established DAOs. Smaller projects may not benefit from the same level of security in their governance design or code — and this poses a serious risk to users and to the broader ecosystem.

Recent incidents across DeFi point to structural patterns beyond protocol-specific failures or any single incident.

Without speculating on timing or intent, and without attributing causality where evidence is still incomplete, it is still possible to observe recurring structural characteristics across recent events:

• Balancer: exploit leveraging batch swaps with deferred settlement in the V2 Vault, where composable stable pool mechanics and rounding behavior in EXACT_OUT swaps allowed liquidity to be reduced to extreme levels.

• Yearn: incident in a custom yETH stableswap pool, based on modified stableswap code, resulting in excessive minting of yETH; isolated from Yearn V2/V3 vaults but leading to approximately $9M in losses across affected pools.

All point to a common direction: risk is no longer concentrated where attention traditionally lies.

Two dimensions are particularly worth examining:

A recurring pattern in modern exploits is the targeting of components that are not new, not actively evolving, and not central to day-to-day operations, but that still custody value.

These are not necessarily deprecated systems, but systems that have become background infrastructure: older contracts, legacy libraries, rarely exercised code paths, governance mechanisms assumed to be settled, or features that “worked fine for years”. In each case, the vulnerability was not hidden. It was simply no longer salient.

Certain attack paths existed in theory, but not in practice: they required levels of combinatorial exploration, cross-domain reasoning, or exhaustive simulation that were simply not economically viable. As a result, these risks did not meaningfully exist at the human surface.

AI introduces a new category of risk: AI expands what is economically and cognitively feasible. It enables continuous analysis across abandoned codebases, systematic exploration of state spaces (far) beyond human reach, and adversarial recombination of known primitives at scale. Patterns that once required prohibitive effort become accessible, repeatable, and persistent.

What was previously invisible becomes legible, and what was once theoretical becomes actionable.

Risk assessment is often discussed as if it were exhaustive, continuous, and evenly distributed across the ecosystem. In reality, it is constrained by time, attention, incentives, and visibility. Anticapture and similar efforts operate inside those constraints.

Risk assessors do not operate in a vacuum. They operate inside an ecosystem whose incentives are heavily skewed toward expansion, such as like:

• Token launches and airdrops,

• Protocol growth and integrations

• New chains, new deployments, and new surfaces

This creates a structural race against time. Risk assessment competes with growth narratives for limited attention, and legibility across the ecosystem remains uneven by design. In that context, risk does not disappear. It accumulates.

Non–open-source systems significantly limit pre-incident analysis.

In the case of Futureswap, the lack of open-source contracts materially constrained pre-incident analysis. Without access to code, assessors are limited to behavioral inference. This raises an uncomfortable but necessary question: What security assumptions remain unverifiable in closed-source systems?

Without source code, assessment becomes probabilistic rather than structural, and mitigation shifts from prevention to post-hoc interpretation.

A final constraint is more fundamental: some DAOs and protocols exist outside the shared field of awareness. Risk assessment assumes a known universe of systems. In practice, that universe is incomplete.

When a DAO or a protocol is effectively invisible to most participants, mitigation becomes reactive by default. One cannot assess what one does not know exists. Discovery itself becomes part of the risk surface.

We are evaluating the feasibility of identifying systems that remain live but fall outside active awareness. This includes dormant DAOs, legacy deployments, and under-observed components that continue to custody value. The objective is not post-incident analysis, but reducing the likelihood of failures that result in material losses for users and protocols.

Visibility does not always guarantee safety, but the absence of visibility consistently precedes governance capture.