A security issue at Ekubo Protocol has raised new worries for the decentralized finance (DeFi) community, potentially putting users’ money at risk. Hackers took advantage of a weakness in the protocol’s code to steal approved tokens, with initial reports estimating losses of around $1.4 million across both the Ethereum and Arbitrum networks. Users are being advised to take immediate action to protect their funds.
Ekubo has confirmed a security breach affecting its swap router contract on certain blockchains. Fortunately, those who provide liquidity or use Starknet were not affected. Ekubo is advising all users to immediately revoke any permissions they’ve granted to the contract, highlighting the ongoing risk of token permissions in the world of decentralized finance (DeFi).
Exploit traced to approval and callback weakness
As an analyst, I’ve been following the recent exploit, and we quickly determined the root cause was a design flaw within Ekubo’s smart contract. Blockaid, a blockchain security firm, detailed on X that the attackers focused on a specific, custom extension contract on Ethereum. The core problem stemmed from a vulnerable function that didn’t adequately verify who was authorized to approve payments.
This meant hackers could exploit the system by submitting their own data, causing unauthorized transfers from user accounts that had previously approved token spending. Essentially, the system didn’t properly verify external information, creating a vulnerability that allowed hackers to steal funds without permission.
According to SlowMist Founder Cos, the attack unfolded because one user had previously authorized unlimited access to their WBTC. The attacker exploited this by making 85 small withdrawals of 0.2 WBTC each, ultimately stealing a total of 17 WBTC. This highlights the risk of granting unlimited approval to transactions, as it can lead to significant losses over time.
As a researcher, I’ve discovered a vulnerability in the Ekubo contract related to malicious exploitation. Essentially, if a user previously authorized the contract to use their tokens – specifically, if they authorized it to spend tokens from an address like 0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd – they become vulnerable. For example, a user like 0x765DEC granted unlimited WBTC approval to this contract 158 days ago. Attackers can then leverage this authorization, designating the authorized user as the payer and causing the contract to execute a malicious function within the payCallback.
— Cos(余弦)😶🌫️ (@evilcos) May 6, 2026
Users urged to revoke approvals
Revoke.cash highlighted that users are still at risk until they remove permissions granted to tokens. At the same time, Ekubo advised people to be cautious and steer clear of any questionable links while the investigation is ongoing.
🚨 Ekubo Protocol was recently hacked. 🚨
Earlier today, Ekubo reported a security flaw in their code that allowed someone to steal funds that users had already approved for use.
The team says they’ll share a detailed explanation of what happened soon. In the meantime, we’ve built a tool below to help you check if you were affected. 👇
— Revoke.cash (@RevokeCash) May 6, 2026
This incident highlights a larger issue affecting the cryptocurrency industry. April 2026 saw a surge in crypto hacks, becoming the worst month on record with over 25 attacks resulting in approximately $630 million in losses.
The recent hack of Ekubo highlights the ongoing problem of permissions in decentralized finance (DeFi). Incorrectly managed permissions are a significant risk, and as hacking techniques improve, controlling these approvals continues to be a major weakness in DeFi security.
Read More
- Bitcoin at Halfway Through Halving: Gains Lag Behind Previous Cycles
- Silver Rate Forecast
- Ripple Price Analysis: XRP Sent Back to No Man’s Land After Clean Rejection
- $380k SYND Bridge Hack: Syndicate Labs Pledges Full User Compensation After Exploit
- USD CLP PREDICTION
- Ethereum Reserves Dry Up as Whales Buy – Is a Supply Crunch on the Way?
- ICP PREDICTION. ICP cryptocurrency
- WLD PREDICTION. WLD cryptocurrency
- Unlock Exclusive Access to OpenGradient’s AI Token Launch on Binance and PancakeSwap!
- Polymarket Weather Bet in France Exposes Major Data Flaw That Could Crash Markets
2026-05-06 15:49