Hacker Exploits $1.4 Million Vulnerability in Ekubo Contract

Hacker exploits $1.4M vulnerability in Ekubo contract on EVM networks.

A hacker targeted a token exchange contract on EVM networks of the DeFi protocol Ekubo, as reported by the project team.

There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected.

We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: https://t.co/9vHDLVjQWP

— Ekubo (@EkuboProtocol) May 5, 2026

The developers emphasized that liquidity providers were not affected. The Starknet version of the platform also remains secure.

Users were advised to revoke all active approvals and warned of potential phishing attempts.

According to Blockaid, the attack affected a custom auxiliary Ekubo contract on Ethereum. Experts estimated the preliminary damage at $1.4 million.

🚨Blockaid’s exploit detection system has identified an on-going exploit on an @EkuboProtocol custom extension contract on Ethereum.

$1.4M drained so far.

Ekubo users are not at risk. Only users who have approved this specific v2 contract as a spender (any token) are at…

— Blockaid (@blockaid_) May 5, 2026

Only users who had previously approved this specific v2 contract as a spender are at risk.

Cause of the Breach

Blockaid linked the exploit to a flaw in the callback mechanism. The auxiliary contract allowed the attacker to insert arbitrary values into the request: who pays, which token, and in what amount.

The contract did not verify whether the specified payer had initiated the operation or agreed to act in this role.

With an existing ERC-20 approval, the attacker could designate the victim’s address as the payer, initiate a call through Ekubo Core, and force the contract to transfer tokens via the transferFrom function. Ekubo Core’s settlement mechanism then transferred the stolen amount to the hacker.

SlowMist’s founder, known as Cos, clarified that one user had given unlimited approval to the Ekubo contract 158 days ago. The attacker initiated 85 transactions, each deducting 0.2 WBTC, ultimately withdrawing 17 WBTC from the address.

Ekubo 有关合约被恶意利用：https://t.co/imw4AKey5t

原因是如果用户之前将相关代币授权给：
0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd
如这位用户 0x765DEC 的这笔 WBTC 无限授权（158 天前）：https://t.co/2Ubo35aBZJ

攻击者可指定已授权用户作为 payer，在 payCallback 中让该合约调用… https://t.co/FDwvrJ23oR

— Cos(余弦)😶‍🌫️ (@evilcos) May 6, 2026

An on-chain analyst known as Darkfost reported that the hacker sent the stolen funds to Velora, exchanged them for $404,000 in USDC, $403,000 in DAI, and 239.5 ETH, and then sent them to the crypto mixer Tornado Cash.

If you use Ekubo, be cautious.Their EkuboSwap router contract has been exploited.

The attacker managed to execute 85 transactions, each transferring 0.2 $WBTC to a single address.

The 17 WBTC were then sent to Velora and swapped into $404K $USDC, $403K $DAI, and 239.5 $ETH.… https://t.co/vj9pubFrzJ pic.twitter.com/kD5zgWyUNP

— Darkfost (@Darkfost_Coc) May 5, 2026

In April 2026, the number of hacks in the crypto industry reached a record high. Analysts at DefiLlama counted over 20 incidents in the month.

The largest was the $292 million exploit of the Kelp protocol. The second largest was the attack on Drift, with damages amounting to $280 million.