Ekubo Protocol Exploit Drains $1.4M From EVM Swap Routers

Ekubo confirmed the breach in a thread on X, urging users to revoke all outstanding approvals immediately. “There is an active security incident on Ekubo swap router contract on EVM chains only,” the team wrote. “Liquidity providers are not affected. Starknet is not affected.”

How the Ekubo Protocol Exploit Worked

The team disclosed the Ekubo Protocol exploit on May 5 at around 20:02 UTC. Only Ekubo’s Ethereum V2, Ethereum V3, and Arbitrum V3 router contracts suffered losses. Meanwhile, Starknet’s core deployment, all liquidity providers, and the core AMM contracts continued operating normally throughout.

The root cause was a logic flaw in Ekubo’s EVM extension contract. Specifically, the IPayer.pay callback function failed to verify whether the payer matched the legitimate lock initiator.

Because of this flaw, attackers could craft a malicious lock payload. They set any address as the “payer” in the callback. Then they called transferFrom to drain tokens from wallets that had previously approved the router contracts.

Users who had granted unlimited ERC-20 approvals to the V2 router faced the greatest risk. The attacker looped the exploit roughly 85 times, draining about 0.2 WBTC per iteration. As a result, one victim at address 0x765DEC lost 17 WBTC in total, according to on-chain data.

The attackers funded their wallet through Railgun and quickly swapped the stolen WBTC into ETH. Blockaid reportedly tracked the transactions as they occurred.

Which Contracts the Ekubo Protocol Exploit Targeted

Ekubo published the three affected contract addresses and urged users to revoke approvals for each one immediately.

On Ethereum, attackers compromised both the V2 router and the V3 router. On Arbitrum, the attack also hit the V3 router.

In contrast, the core router contract on Ethereum played no role in the exploit. Starknet contracts handle the majority of Ekubo’s ~$28.5 million TVL and remained fully secure. According to DefiLlama, Ekubo holds about $21.3 million on Starknet and $7.25 million on Ethereum.

Ekubo Launches Refund Portal

Within hours of the disclosure, Ekubo’s security team launched a refund portal for affected EVM users. “Submit your refund request, then use Deep Revoke by Ekubo to remove all outstanding approvals linked to the affected swap router,” the team wrote on X.

In addition, Revoke.cash released a dedicated exploit checker. Users can verify whether their wallet holds active approvals to any of the compromised contracts and revoke them directly through the tool.

Whether all affected users will receive full refunds remains unclear. The team continues to tally the final loss amount as of May 6.

Why Token Approvals Remain a Persistent Threat

The Ekubo Protocol exploit did not break the core smart contracts. Instead, it targeted the trust users place in token approvals, a recurring attack vector across DeFi.

When users approve a contract to spend their tokens, they often grant unlimited access for convenience. That saves gas on future transactions but also creates a standing vulnerability. If the approved contract contains a flaw, attackers can drain funds without the user signing a new transaction.

Similar approval-based exploits have hit DeFi before. For example, the BadgerDAO attack in 2021 drained $120 million through manipulated approvals. Multichain’s AnySwap router exploit followed a comparable pattern. Consequently, the lesson remains consistent: unlimited approvals carry real risk.

Community reaction on X reflected this theme. CoinXtreme called it a “hard lesson” and wrote, “Your approvals are the biggest threat in DeFi.” Multiple users echoed the message, urging followers to audit their active approvals regularly.

Starknet Core Stays Safe

One notable detail is the clear separation between Ekubo’s Starknet deployment and its EVM extensions. Plainshift audited the Starknet contracts in February 2025, and they played no part in the exploit.

Code4rena audited the EVM extension contracts separately. The vulnerability appeared in the callback logic specific to EVM chains, not in the core AMM architecture.

Some Starknet community members pointed to this as evidence that the protocol’s native design remained sound. They argued the risk came from extending into EVM environments, where Ethereum-style approval patterns introduce additional attack surface.

Ekubo commands roughly 60% of Starknet’s total DEX TVL. As a result, its Starknet operations continued without interruption during the incident. Neither the STRK nor EKUBO tokens experienced material price impact.

What Comes Next

Ekubo has promised a full post-mortem, though the team has not yet announced a timeline. The exact final loss amount, complete attacker transaction history, and refund details all remain pending.

For now, users who interacted with Ekubo’s EVM routers should revoke all approvals immediately. Tools like Revoke.cash and Ekubo’s own Deep Revoke feature provide the quickest path to safety.

The incident reinforces a core DeFi security principle: regularly audit and revoke token approvals, especially unlimited ones. Approvals granted months ago to forgotten contracts can become an open door for attackers.