Decentralized finance protocol Ekubo Protocol has lost roughly $1.4 million in wrapped Bitcoin (WBTC) after attackers took advantage of a vulnerability in its EVM swap router contracts on Wednesday.
The exploit comes at a time when the entire 2026 has already been a tough year for security across the DeFi space.
Ekubo, which operates as an AMM ( automated market maker) on Starknet, Ethereum, and Arbitrum chains, is distinguished by its singleton design and modular expansion capabilities.
While these design elements provide efficiency and flexibility in implementing the protocol, they may also create extra vulnerabilities if not adequately secured.
As identified by blockchain cybersecurity company Blockaid, the vulnerability arose due to poor access control in the v2 EVM extension contracts of Ekubo. In particular, the bug arose because of the flawed design of the payment callback functionality, which would receive information from the payer’s wallet, including the payer’s address, the token involved, and the payable amount, without verifying whether the payer had approved the transaction or not.
The loophole enabled hackers to create malicious payloads that resulted in illicit funds being transferred from the user’s wallet that previously accepted those router contracts.
In simpler terms, the hack did not involve any direct intrusion of the users’ wallets but rather the exploit of the permission the user had already granted, which is becoming increasingly common in DeFi.
How did the attack happen?
The attackers carried out the exploit through around 85 rapid transactions, draining funds quickly before any response could slow them down. Onchain data flagged by monitoring platforms like Cyvers shows that the primary victim lost about 17 WBTC.
The stolen funds were then swapped into WETH and the stablecoin DAI, a common tactic used to make tracking and recovery more difficult.
Ekubo moved quickly to notify users, confirming that the issue was limited to its EVM-based swap router contracts.
“There is an active security incident on Ekubo’s swap router contract on EVM chains only,” the protocol said in a public update. It also clarified that liquidity providers were not impacted and that its core Starknet deployment, along with the wider liquidity base, remained unaffected.
The team advised users to revoke any approval tokens for the contracts that were exploited right away through means such as revoke.cash. It is imperative that users do so as approval tokens could remain active despite the contract exploit being detected.
Ekubo at present is faced with a situation that makes rectifying the situation difficult. The contracts in question are immutable within the EVM environment. At present, the only solution is to release a new, patched version of the router and have users migrate to it.
The incident highlights the ongoing risks tied to approval-based exploits in modular DeFi systems. These vulnerabilities have shown up repeatedly throughout 2026, as protocols continue to push for more complex and interconnected designs.
Ekubo’s exploit comes as defi attacks rise
DeFi losses this year have already crossed $750 million even before the Ekubo exploit, underlining the scale of the problem. April itself brought losses worth around $620 million from close to 30 separate attacks, making it one of the most active months for hacking operations ever seen.
A majority of the amount was lost due to massive hacks, such as the one involving the hackers stealing $280 million worth of cryptocurrency from the Drift Protocol and $292 million worth of crypto from the Kelp DAO hack.
Apart from these hacks, there were other small hacks, such as the theft of $4.5 million worth of admin keys of Wasabi Protocol and $3.5 million worth of vault hack of Volo Protocol.



