Ekubo Protocol Loses $1.4 Million in Exploit on 2 Networks

Ekubo Protocol, a decentralized exchange, lost approximately $1.4 million in Wrapped Bitcoin (WBTC) after an exploit targeted its swap router contracts on the Ethereum and Arbitrum networks. The vulnerability stemmed from a missing validation check that allowed an attacker to drain funds from users who had previously granted approval to the contracts.

The attack was first reported by security firm Blockaid and later confirmed by the Ekubo team. "The Ekubo Protocol exploit happened because of a simple but costly mistake in the code," an official announcement stated. The core issue was a "missing payer validation" in the IPayer.pay callback function, which failed to verify the source of parameters, enabling the attacker to transfer tokens on behalf of users.

Data shows the exploit resulted in the theft of roughly 17 WBTC across 85 transactions. The core Ekubo protocol, which primarily operates on Starknet, remains secure. The vulnerability was confined to specific V2 and V3 router contracts on EVM-compatible chains, affecting only users who had granted unlimited token approvals to these addresses. Liquidity providers and users of the Starknet-native protocol were not impacted.

This incident highlights the persistent risks associated with token approvals in the DeFi space on Ethereum. While convenient, granting unlimited permissions to smart contracts can expose users to significant losses if a vulnerability is discovered. The Ekubo team is compiling a post-mortem report and has warned users to be wary of potential refund scams, advising them to follow official channels for updates.

How to Protect Your Assets

The Ekubo team urges all users who have ever interacted with the affected router contracts on Ethereum or Arbitrum to revoke any active permissions immediately. This can be done using trusted third-party tools like revoke.cash.

Revoke approvals for these specific contract addresses:

Ethereum:

0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd (V2)
0x4f168f17923435c999f5c8565acab52c2218edf2 (V3)

Arbitrum:

0xc93c4ad185ca48d66fefe80f906a67ef859fc47d (V3)

This article is for informational purposes only and does not constitute investment advice.