A hacker targeted the token swap contract on EVM networks of the Ekubo DeFi protocol, as reported by the project team.
There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected.
— Ekubo (@EkuboProtocol) May 5, 2026
We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: https://t.co/9vHDLVjQWP
The developers emphasized that liquidity providers were not harmed. The Starknet version of the platform also remains secure.
Users were advised to revoke all active approvals and warned about potential phishing attempts.
According to Blockaid, the attack affected a custom extension of Ekubo on Ethereum. Experts estimate the preliminary damage at $1.4 million.
🚨Blockaid's exploit detection system has identified an ongoing exploit on an @EkuboProtocol custom extension contract on Ethereum.
— Blockaid (@blockaid_) May 5, 2026
$1.4M drained so far.
Ekubo users are not at risk. Only users who have approved this specific v2 contract as a spender (any token) are at…
Only those users who previously granted permission for token withdrawals to the specific v2 contract are at risk.
Cause of the Hack
Blockaid linked the exploit to a flaw in the callback mechanism. The extension contract allowed the attacker to substitute arbitrary values in the request: who pays, which token, and the amount.
The contract did not verify whether the specified payer actually initiated the operation or agreed to act in that role.
With an old ERC-20 approval, the attacker could designate the victim's address as the payer, initiate a call through Ekubo Core, and cause the contract to withdraw tokens via the transferFrom function. The Ekubo Core settlement mechanism then transferred the stolen amount to the hacker.
The founder of SlowMist, known as Cos, noted that one user granted unlimited approval to the Ekubo contract 158 days ago. The attacker initiated withdrawals 85 times of 0.2 WBTC each, ultimately draining 17 WBTC from the address.
Ekubo 有关合约被恶意利用:https://t.co/imw4AKey5t
— Cos(余弦)😶🌫️ (@evilcos) May 6, 2026
原因是如果用户之前将相关代币授权给:
0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd
如这位用户 0x765DEC 的这笔 WBTC 无限授权(158 天前):https://t.co/2Ubo35aBZJ
攻击者可指定已授权用户作为 payer,在 payCallback 中让该合约调用… https://t.co/FDwvrJ23oR
On-chain analyst Darkfost reported that the hacker sent the stolen funds to Velora, exchanged them for $404,000 in USDC, $403,000 in DAI, and 239.5 ETH, and then sent them to the crypto mixer Tornado Cash.
If you use Ekubo, be cautious. Their EkuboSwap router contract has been exploited.
— Darkfost (@Darkfost_Coc) May 5, 2026
The attacker managed to execute 85 transactions, each transferring 0.2 $WBTC to a single address.
The 17 WBTC were then sent to Velora and swapped into $404K $USDC, $403K $DAI, and 239.5 $ETH.… https://t.co/vj9pubFrzJ pic.twitter.com/kD5zgWyUNP
It’s worth noting that April 2026 set a record for the number of hacks in the crypto industry. DefiLlama analysts counted over 20 incidents in that month.
The largest was the exploit of the Kelp protocol, resulting in a loss of $292 million. The second largest was the attack on Drift, which caused $280 million in damages.