Skip to content

DeFi protocol Ekubo suffers $1.4 million hack amid ongoing security concerns

Attackers drain USD 1.4M in wrapped bitcoin from DeFi protocol Ekubo in approval-based exploit
Share this article

Decentralized finance protocol Ekubo Protocol has lost roughly $1.4 million in wrapped Bitcoin (WBTC) after attackers took advantage of a vulnerability in its EVM swap router contracts on Wednesday. 

The exploit comes at a time when the entire 2026 has already been a tough year for security across the DeFi space.

Ekubo, which operates as an AMM ( automated market maker) on Starknet, Ethereum, and Arbitrum chains, is distinguished by its singleton design and modular expansion capabilities. 

While these design elements provide efficiency and flexibility in implementing the protocol, they may also create extra vulnerabilities if not adequately secured.

As identified by blockchain cybersecurity company Blockaid, the vulnerability arose due to poor access control in the v2 EVM extension contracts of Ekubo. In particular, the bug arose because of the flawed design of the payment callback functionality, which would receive information from the payer’s wallet, including the payer’s address, the token involved, and the payable amount, without verifying whether the payer had approved the transaction or not.

The loophole enabled hackers to create malicious payloads that resulted in illicit funds being transferred from the user’s wallet that previously accepted those router contracts. 

In simpler terms, the hack did not involve any direct intrusion of the users’ wallets but rather the exploit of the permission the user had already granted, which is becoming increasingly common in DeFi.

How did the attack happen?

The attackers carried out the exploit through around 85 rapid transactions, draining funds quickly before any response could slow them down. Onchain data flagged by monitoring platforms like Cyvers shows that the primary victim lost about 17 WBTC. 

The stolen funds were then swapped into WETH and the stablecoin DAI, a common tactic used to make tracking and recovery more difficult.

Ekubo moved quickly to notify users, confirming that the issue was limited to its EVM-based swap router contracts. 

“There is an active security incident on Ekubo’s swap router contract on EVM chains only,” the protocol said in a public update. It also clarified that liquidity providers were not impacted and that its core Starknet deployment, along with the wider liquidity base, remained unaffected.

The team advised users to revoke any approval tokens for the contracts that were exploited right away through means such as revoke.cash. It is imperative that users do so as approval tokens could remain active despite the contract exploit being detected.

Ekubo at present is faced with a situation that makes rectifying the situation difficult. The contracts in question are immutable within the EVM environment. At present, the only solution is to release a new, patched version of the router and have users migrate to it. 

The incident highlights the ongoing risks tied to approval-based exploits in modular DeFi systems. These vulnerabilities have shown up repeatedly throughout 2026, as protocols continue to push for more complex and interconnected designs.

Ekubo’s exploit comes as defi attacks rise

DeFi losses this year have already crossed $750 million even before the Ekubo exploit, underlining the scale of the problem. April itself brought losses worth around $620 million from close to 30 separate attacks, making it one of the most active months for hacking operations ever seen.

A majority of the amount was lost due to massive hacks, such as the one involving the hackers stealing $280 million worth of cryptocurrency from the Drift Protocol and $292 million worth of crypto from the Kelp DAO hack. 

Apart from these hacks, there were other small hacks, such as the theft of $4.5 million worth of admin keys of Wasabi Protocol and $3.5 million worth of vault hack of Volo Protocol.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.