Another month, another significant DeFi exploit. The Ekubo Decentralized Exchange (DEX) found itself in the crosshairs yesterday, with attackers siphoning approximately $1.4 million in wrapped Bitcoin (WBTC) through a clever token approval exploit. This incident serves as a stark reminder of the persistent risks within the decentralized finance ecosystem, particularly concerning unchecked token permissions.
Key Takeaways
- $1.4M Stolen: Attackers exploited a vulnerability in Ekubo’s EVM swap router, leading to the draining of roughly $1.4 million in WBTC from user wallets.
- Approval Vulnerability: The exploit specifically targeted stale token approvals, a common pitfall that can leave assets vulnerable.
- Starknet Core Unaffected: Fortunately, the Ekubo protocol’s core contracts on Starknet and its liquidity providers remain secure, with the exploit confined to the EVM swap router.
- Mitigation Advised: Ekubo has strongly recommended that users revoke all outstanding token approvals, especially for Ethereum V2/V3 and Arbitrum V3.
The malicious actors executed around 85 draining transactions rapidly before attempting to launder the stolen funds through Tornado Cash. The incident saw one user lose a substantial 17 WBTC. While the damage is significant for affected users, Ekubo has confirmed that its underlying Starknet infrastructure and liquidity pools were not compromised, assuring users that their primary deployments remain safe.
Ekubo is currently working on a detailed post-mortem analysis of the attack. In the meantime, their primary advice to users is to proactively revoke any lingering token approvals through platforms like Revoke.cash, especially for assets on Ethereum and Arbitrum networks.
Potential Value Analysis
While this exploit highlights the risks, it also underscores the importance of proactive security measures in DeFi. For alpha hunters and early adopters, understanding these vulnerabilities is key to protecting existing assets and potentially identifying new opportunities. The emphasis on revoking stale token approvals is a low-effort, high-impact security practice that can prevent significant losses. As Ekubo investigates the precise mechanics of the exploit, further insights into the attack vectors could lead to the development of more robust smart contract auditing tools or even new decentralized security solutions, which could represent future investment or participation opportunities.
There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected.
We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: https://t.co/9vHDLVjQWP
— Ekubo (@EkuboProtocol) May 5, 2026
Details can be found on the website : www.bankless.com