Ekubo hack drains $1M in WBTC via router flaw. Users urged to revoke approvals immediately to protect funds from ongoing exploit risk.
Ekubo has suffered a major hack, and around $1 million in wrapped bitcoin was stolen. Users are concerned about the attack. However, the platform immediately issued a warning to all to take action and safeguard their money at once.
Ekubo Hack Drains Funds Through Router Flaw
The problem began when the attackers discovered a vulnerability in Ekubo’s EVM swap router. This bug enabled them to access pre-approved wallets. This meant that hackers could steal money without obtaining any new permissions from users.
Starknet is not affected by the Ekubo router incident.
The issue happened on EVM, where users often leave unlimited token approvals behind.
On Starknet, native Account Abstraction enables a better UX: apps can bundle authorization and execution in the same transaction, so users… https://t.co/ZLMn2RTgdm
— StarkWare 🥷 (@StarkWareLtd) May 6, 2026
Moreover, the attackers carried out the theft using around 85 fast transactions. One big case resulted in the loss of approximately 17 WBTC. This is equivalent to almost $1 million in today’s dollars. After that, the stolen funds were converted into WETH and DAI.
Reading more: $150M Crypto Ponzi Collapse as ZachXBT Helps Freeze $41.5M Across Chains – Ledger Tribune
The transactions were meticulously carried out, according to blockchain tracking data from Cyvers. The attackers automated the attack to accelerate it. The victim was thus unable to take timely action to prevent the loss.
Ekubo promptly posted updates on X to alert users. The team said that there is an active security problem on EVM chains. But they also said that liquidity providers were not impacted by this incident.
Starknet Safe While EVM Users Face Risk
Importantly, the problem was only for EVM-based systems. The core protocol on Starknet remains safe. This is because Starknet uses a different system for approvals and transactions.
In EVM chains, users tend to grant “unlimited approvals” to contracts. This implies that a contract can get tokens at any time without requesting them again. This is convenient, but poses risk if the contract is used.
Starknet, on the other hand, implements account abstraction. This system has the approval and transaction in the same step. This means that users do not have to leave open permissions for extended periods of time. Therefore, the risk of such attacks becomes much lower.
The root cause of the hack was found in a function called payCallback. This function was exploited by attackers to fool the system. In a transaction, they named a victim as the “payer.” The victim had already granted unlimited permission, so the transfer was made.
This is why the contract employed a function called transferFrom to transfer money. The tokens were then immediately transferred to the attacker’s wallet. This process happened repeatedly across multiple transactions.
Ekubo Hack Triggers Urgent Warning to Revoke Permissions
In one incident reported, the victim had consented 158 days before. Unfortunately, the old approval was still in effect. This meant that the attacker could make withdrawals without any new confirmation.
Ekubo has strongly recommended all users to immediately revoke their token approvals. This step could help to avoid further losses. Platforms such as revoke platforms can enable users to revoke hazardous permissions effortlessly.
The incident also brings to light a larger problem in DeFi. Users often neglect to remove old approvals that may be in effect for months. Thus, frequent checks are required to maintain wallet security.
Overall, this hack is a reminder that little things can cause big losses. Ekubo responded swiftly, but users need to be vigilant as well. In the future, improved security measures and safer approval processes could mitigate these risks in DeFi.