Recently, Attackers repeatedly invoked the changePosition function to drain funds, ultimately extracting approximately USD 395,000 in USDC. As the contract is not open-sourced, the exact vulnerability is still under investigation. However, the on-chain transaction traces already make one thing clear: abnormal position updates caused stablecoin balances to be incorrectly released during position reduction or closure.
This incident once again highlights a harsh reality: in real-world attacks, by the time a code-level vulnerability is fully identified, it is often already too late. Yet even when a contract is closed-source and its logic opaque, the attack behavior itself leaves sufficiently clear and actionable risk signals on-chain.
From a KYT (Know Your Transaction) perspective, the FutureSwapX attack was far from invisible. Within a short time window, the attacker repeatedly called high-risk functions, creating a clear abnormal correlation between position changes and fund releases. After completing the critical operations, the attacker rapidly aggregated the funds and exited into stablecoins. These patterns differ significantly from normal user trading behavior.
The real question is not whether these signals existed, but whether anyone was continuously monitoring them in real time—and capable of identifying them as an ongoing attack.
This is precisely the problem our KYT product is designed to solve. It is not limited to compliance checks or post-incident analysis. Instead, it is purpose-built for real-time risk detection and intervention in DeFi and smart contract environments. For attack patterns like those seen in the FutureSwapX incident, our KYT system is designed around three core principles: early detection, real-time alerting, and full-path reconstruction. Key capabilities include:
- Real-time monitoring based on on-chain behavioral models Continuous analysis of call frequency, execution order, and behavioral patterns of critical contract functions, enabling risk identification as soon as abnormal activity begins to form—rather than after funds are fully drained.
- Intelligent correlation between position changes and fund releases Automated detection of anomalous relationships between position adjustments and stablecoin outflows, precisely capturing fund-drain paths that appear “logically valid” but are behaviorally abnormal.
- Attack-path-level fund tracking and risk labeling End-to-end tracing of addresses, contracts, and fund flows involved in suspicious transactions, rapidly identifying systemic arbitrage or drain behaviors and generating visualized risk evidence.
- Real-time alerts integrated with risk control mechanisms When high-risk behavior is detected, the system can issue immediate alerts and integrate with controls such as rate limiting, pausing critical operations, or triggering manual reviews—helping contain risk before funds are completely withdrawn.
- Had such a KYT monitoring framework been deployed during the FutureSwapX incident, there would have been a real opportunity to detect the abnormal behavior and intervene before the attack was completed, even without a confirmed vulnerability.
- This incident sends a clear message: smart contract risk is not only a code problem—it is first and foremost a transaction behavior problem. As on-chain financial structures grow increasingly complex, relying solely on audits or post-mortem analysis is no longer sufficient. The truly effective defense lies in continuous understanding and real-time recognition of on-chain behavior.
- Before the next attack happens, those who establish proactive visibility into on-chain behavior through KYT will be the ones who truly hold the initiative in security.