{"id":96848,"date":"2026-05-06T11:10:51","date_gmt":"2026-05-06T08:10:51","guid":{"rendered":"https:\/\/u1f987.com\/en\/?p=96848"},"modified":"2026-05-06T11:15:18","modified_gmt":"2026-05-06T08:15:18","slug":"hacker-exploits-1-4-million-vulnerability-in-ekubo-contract","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/hacker-exploits-1-4-million-vulnerability-in-ekubo-contract\/","title":{"rendered":"Hacker Exploits $1.4 Million Vulnerability in Ekubo Contract"},"content":{"rendered":"<p>A hacker targeted a token exchange contract on <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-the-ethereum-virtual-machine-evm\">EVM<\/a> networks of the <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-decentralised-finance-defi\">DeFi<\/a> protocol Ekubo, as reported by the project team.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected.<\/p>\n<p>We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: <a href=\"https:\/\/t.co\/9vHDLVjQWP\">https:\/\/t.co\/9vHDLVjQWP<\/a><\/p>\n<p>\u2014 Ekubo (@EkuboProtocol) <a href=\"https:\/\/twitter.com\/EkuboProtocol\/status\/2051754481465856038?ref_src=twsrc%5Etfw\">May 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The developers emphasized that <a href=\"https:\/\/u1f987.com\/en\/news\/what-are-liquidity-pools-and-how-do-they-work\">liquidity providers<\/a> were not affected. The <a href=\"https:\/\/u1f987.com\/en\/news\/what-are-starknets-blockchain-and-cryptocurrency\">Starknet<\/a> version of the platform also remains secure.<\/p>\n<p>Users were advised to revoke all active approvals and warned of potential phishing attempts.<\/p>\n<p>According to Blockaid, the attack affected a custom auxiliary Ekubo contract on Ethereum. Experts estimated the preliminary damage at $1.4 million.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8Blockaid&#8217;s exploit detection system has identified an on-going exploit on an <a href=\"https:\/\/twitter.com\/EkuboProtocol?ref_src=twsrc%5Etfw\">@EkuboProtocol<\/a> custom extension contract on Ethereum. <\/p>\n<p>$1.4M drained so far.<\/p>\n<p>Ekubo users are not at risk. Only users who have approved this specific v2 contract as a spender (any token) are at\u2026<\/p>\n<p>\u2014 Blockaid (@blockaid_) <a href=\"https:\/\/twitter.com\/blockaid_\/status\/2051757787714118125?ref_src=twsrc%5Etfw\">May 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Only users who had previously approved this specific v2 contract as a spender are at risk.<\/p>\n<h2 class=\"wp-block-heading\">Cause of the Breach<\/h2>\n<p>Blockaid linked the exploit to a flaw in the callback mechanism. The auxiliary contract allowed the attacker to insert arbitrary values into the request: who pays, which token, and in what amount.<\/p>\n<p>The contract did not verify whether the specified payer had initiated the operation or agreed to act in this role.<\/p>\n<p>With an existing ERC-20 approval, the attacker could designate the victim&#8217;s address as the payer, initiate a call through Ekubo Core, and force the contract to transfer tokens via the transferFrom function. Ekubo Core&#8217;s settlement mechanism then transferred the stolen amount to the hacker.<\/p>\n<p>SlowMist&#8217;s founder, known as Cos, clarified that one user had given unlimited approval to the Ekubo contract 158 days ago. The attacker initiated 85 transactions, each deducting 0.2 WBTC, ultimately withdrawing 17 WBTC from the address.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">Ekubo \u6709\u5173\u5408\u7ea6\u88ab\u6076\u610f\u5229\u7528\uff1a<a href=\"https:\/\/t.co\/imw4AKey5t\">https:\/\/t.co\/imw4AKey5t<\/a><\/p>\n<p>\u539f\u56e0\u662f\u5982\u679c\u7528\u6237\u4e4b\u524d\u5c06\u76f8\u5173\u4ee3\u5e01\u6388\u6743\u7ed9\uff1a<br \/>0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd <br \/>\u5982\u8fd9\u4f4d\u7528\u6237 0x765DEC \u7684\u8fd9\u7b14 WBTC \u65e0\u9650\u6388\u6743\uff08158 \u5929\u524d\uff09\uff1a<a href=\"https:\/\/t.co\/2Ubo35aBZJ\">https:\/\/t.co\/2Ubo35aBZJ<\/a><\/p>\n<p>\u653b\u51fb\u8005\u53ef\u6307\u5b9a\u5df2\u6388\u6743\u7528\u6237\u4f5c\u4e3a payer\uff0c\u5728 payCallback \u4e2d\u8ba9\u8be5\u5408\u7ea6\u8c03\u7528\u2026 <a href=\"https:\/\/t.co\/FDwvrJ23oR\">https:\/\/t.co\/FDwvrJ23oR<\/a><\/p>\n<p>\u2014 Cos(\u4f59\u5f26)\ud83d\ude36\u200d\ud83c\udf2b\ufe0f (@evilcos) <a href=\"https:\/\/twitter.com\/evilcos\/status\/2051833417365631281?ref_src=twsrc%5Etfw\">May 6, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>An on-chain analyst known as Darkfost reported that the hacker sent the stolen funds to Velora, exchanged them for $404,000 in <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-the-usdc-stablecoin\">USDC<\/a>, $403,000 in <a href=\"https:\/\/u1f987.com\/en\/news\/what-are-makerdao-mkr-and-the-dai-stablecoin\">DAI<\/a>, and 239.5 ETH, and then sent them to the crypto mixer <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">If you use Ekubo, be cautious.Their EkuboSwap router contract has been exploited.<\/p>\n<p>The attacker managed to execute 85 transactions, each transferring 0.2 <a href=\"https:\/\/twitter.com\/search?q=%24WBTC&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$WBTC<\/a> to a single address.<\/p>\n<p>The 17 WBTC were then sent to Velora and swapped into $404K <a href=\"https:\/\/twitter.com\/search?q=%24USDC&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$USDC<\/a>, $403K <a href=\"https:\/\/twitter.com\/search?q=%24DAI&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$DAI<\/a>, and 239.5 <a href=\"https:\/\/twitter.com\/search?q=%24ETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ETH<\/a>.\u2026 <a href=\"https:\/\/t.co\/vj9pubFrzJ\">https:\/\/t.co\/vj9pubFrzJ<\/a> <a href=\"https:\/\/t.co\/kD5zgWyUNP\">pic.twitter.com\/kD5zgWyUNP<\/a><\/p>\n<p>\u2014 Darkfost (@Darkfost_Coc) <a href=\"https:\/\/twitter.com\/Darkfost_Coc\/status\/2051778219137974336?ref_src=twsrc%5Etfw\">May 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In April 2026, the number of hacks in the crypto industry reached a record high. Analysts at DefiLlama counted over 20 incidents in the month.<\/p>\n<p>The largest was the $292 million exploit of the <a href=\"https:\/\/u1f987.com\/en\/news\/kelp-hack-triggers-15-billion-withdrawal-from-aave\">Kelp<\/a> protocol. The second largest was the <a href=\"https:\/\/u1f987.com\/en\/news\/drift-protocol-on-solana-loses-280m\">attack on Drift<\/a>, with damages amounting to $280 million.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A hacker targeted a token exchange contract on EVM networks of the DeFi protocol Ekubo, as reported by the project team.<\/p>\n","protected":false},"author":1,"featured_media":96849,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Hacker exploits $1.4M vulnerability in Ekubo contract on EVM networks.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1093],"class_list":["post-96848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"9","promo_type":"1","layout_type":"1","short_excerpt":"Hacker exploits $1.4M vulnerability in Ekubo contract on EVM networks.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=96848"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96848\/revisions"}],"predecessor-version":[{"id":96850,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96848\/revisions\/96850"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/96849"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=96848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=96848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=96848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}