Ekubo DEX Users Lose $1.4M In WBTC Approval-Based Exploit

On May 5, 2026, attackers exploited a critical callback validation flaw in Ekubo Protocol's EVM swap router contracts on Ethereum and Arbitrum, draining approximately $1.4 million in Wrapped Bitcoin (WBTC) from users who had active token approvals. Blockaid's exploit detection system identified the ongoing attack and confirmed that only users who had approved Ekubo's specific V2 and V3 router contracts as spenders were at risk. Starknet — where the majority of Ekubo's approximately $28.5 million TVL resides — was entirely unaffected, as the vulnerability existed only in the EVM-chain auxiliary contracts. The vulnerability resided in Ekubo's IPayer.pay callback function, which implemented token transfers via token.transferFrom(payer, Core, amount) where the payer, token, and amount parameters were forwarded directly from the lock payload without verification. The contract failed to check whether the designated payer matched the legitimate lock initiator or was an authorized party. This allowed attackers to insert arbitrary victim addresses as payers, designating users who had previously granted token approvals to the router contracts. The attacker executed approximately 85 rapid transactions, each draining 0.2 WBTC, targeting a primary victim at address 0x765DEC... who had granted unlimited approval to contract 0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd approximately 158 days earlier. The stolen 17 WBTC was sent to Velora exchange and converted to $404,000 USDC, $403,000 DAI, and 239.5 ETH. These assets were then consolidated into 577 ETH worth approximately $1.36 million and routed toward Tornado Cash for laundering. Affected routers included the Ethereum V2 router, Ethereum V3 router, and Arbitrum V3 router. Liquidity providers on Starknet were not at risk, as the core Starknet deployment uses a fundamentally different contract architecture. Ekubo's security team responded by launching a refund portal for affected EVM users within hours of the disclosure. The team advised all users to revoke any outstanding approvals to the compromised contracts, directing them to Revoke.cash's Ekubo exploit checker and Ekubo's own Deep Revoke tool. A complete post-mortem and final loss tally are still pending, and whether all victims will receive full refunds has not yet been confirmed. The vulnerable router contracts have been deprecated. This incident serves as a critical reminder about the dangers of unlimited token approvals. Users should regularly audit and revoke token approvals using tools like Revoke.cash, and should prefer setting specific spending limits rather than granting unlimited allowances when interacting with DeFi protocols. The 158-day gap between the victim's approval and the exploit demonstrates that approval-based attacks can be executed long after the initial interaction, making ongoing approval hygiene essential for DeFi participants.