Ekubo Protocol Exploit Sees $1.4M Drained in 85 Transactions

Show AI Summary

A contract flaw in Ekubo Protocol’s swap router contract allowed attackers to drain user-approved tokens, highlighting a major security risk in DeFi.

The exploit was traced to a weak function that failed to properly confirm authorization for payments, enabling hackers to trigger transfers without owners’ consent.

The breach exploited a long-standing issue with token permissions, where a single approval can expose large amounts over time if not revoked, as seen in the loss of 17 WBTC from one user’s wallet.

Fresh concerns have hit the decentralized finance (DeFi) space after an exploit hit Ekubo Protocol, putting user funds at risk. The attackers used a contract flaw to drain approved tokens. Early estimates place losses at about $1.4 million across Ethereum and Arbitrum, prompting urgent warnings for users to act.

Ekubo confirmed the breach, saying it affected its swap router contract on EVM chains. However, the team added that liquidity providers and Starknet users were not impacted. It urged users to revoke all active approvals immediately, as the incident again exposes how token permissions can become a major security risk in DeFi.

Exploit traced to approval and callback weakness

Security researchers quickly traced the exploit to a flaw in Ekubo’s contract design. In a Series of posts on X, blockchain security firm Blockaid said attackers targeted a custom extension contract on Ethereum. The issue centered on a weak function that failed to properly confirm who should authorize payments.

As a result, attackers could feed in their own data and trigger transfers from users who had already granted token approvals. In other words, the system trusted outside inputs without enough checks. That gap allowed hackers to move funds without the owners’ consent.

Further analysis from SlowMist Founder Cos showed how the attack played out in practice. One user had given unlimited WBTC approval months earlier. The attacker then ran 85 small transactions, each taking 0.2 WBTC. In total, the wallet lost 17 WBTC, showing how a single approval can expose large amounts over time.

Ekubo 有关合约被恶意利用：https://t.co/imw4AKey5t

原因是如果用户之前将相关代币授权给：
0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd
如这位用户 0x765DEC 的这笔 WBTC 无限授权（158 天前）：https://t.co/2Ubo35aBZJ

攻击者可指定已授权用户作为 payer，在 payCallback 中让该合约调用… https://t.co/FDwvrJ23oR
— Cos(余弦)😶‍🌫️ (@evilcos) May 6, 2026

Users urged to revoke approvals

Revoke.cash warned that users remain exposed until they revoke token approvals. Ekubo, meanwhile, urged users to stay alert and avoid suspicious links as the investigation continues.

⚠️ Ekubo exploited ⚠️

Earlier today, @EkuboProtocol reported an exploited vulnerability in their contracts, which was used to steal approved user funds.

A full post-mortem is said to follow, but we've already created an exploit checker below 👇https://t.co/HUmEOIRA0r
— Revoke.cash (@RevokeCash) May 6, 2026

This is just an example of a much bigger problem that exists within the industry. April 2026 has already become the most unfortunate month for crypto hacks, with the number of losses around $630 million due to more than 25 attacks.

The hacking at Ekubo has once again brought up the issue of permissions in DeFi, which are known to be very risky if not handled properly. As attacks become more advanced, managing approvals remains one of the weakest points in DeFi security.

Also Read: $41.5 Million Frozen: Inside the Takedown of the DSJ Exchange Ponzi Scheme

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!