DeFi Protocol Ekubo Hit by $1.4 Million Wrapped Bitcoin Attack

Approval-based flaws continue driving DeFi exploits as 2026 losses climb beyond $750 million worldwide.

Fresh security failures continue to pressure decentralized finance platforms in 2026. Rising attack frequency has pushed protocol teams to tighten audits and review contract permissions more aggressively. Ekubo Protocol became the latest target after attackers exploited a flaw in its EVM infrastructure related to token approval handling. The incident adds to a growing list of exploits that have already drained hundreds of millions from DeFi platforms this year.

Blockaid Identifies Access-Control Weakness Behind Ekubo Attack

Ekubo Protocol lost roughly $1.4 million in wrapped bitcoin after attackers exploited an access-control vulnerability in its EVM-based swap router contracts. Blockchain security firm Blockaid said the exploit targeted a vulnerable payment callback mechanism in Ekubo’s v2 EVM extension contracts.

Root Cause:

The Ekubo extension implements its IPayer[.]pay callback (selector 0x599d0714, gated to msg.sender == EkuboCore) by doing token.transferFrom(payer, Core, amount) where payer, token, and amount are forwarded straight from the lock payload- i.e. controlled by whoever…

— Blockaid (@blockaid_) May 5, 2026

Ekubo operates as a concentrated liquidity AMM, first launched on Starknet and later expanding to Ethereum and Arbitrum. The platform is known for its singleton architecture and modular extension design.

According to Blockaid, attackers manipulated the payload data, including the payer, token, and amount parameters. Contracts reportedly failed to verify whether the payer had approved the transaction before execution. That weakness allowed attackers to drain wallets that had previously granted token approvals to the affected router contracts.

Security researchers said attackers carried out the theft through nearly 85 rapid transactions. On-chain monitoring platforms, including Cyvers, tracked the stolen funds after roughly 17 WBTC were removed from a primary victim wallet. Assets were later swapped into WETH and DAI.

DeFi Losses Top $750M Following Recent Exploit

Ekubo warned users shortly after discovering the breach. Team members confirmed that the exploit affected only EVM swap router contracts, while liquidity providers remained unaffected. Developers also stated that the protocol’s main Starknet deployment continued to operate normally.

Starknet is not affected by the Ekubo router incident.

The issue happened on EVM, where users often leave unlimited token approvals behind.

On Starknet, native Account Abstraction enables a better UX: apps can bundle authorization and execution in the same transaction, so users… https://t.co/ZLMn2RTgdm

— StarkWare 🥷 (@StarkWareLtd) May 6, 2026

Users were urged to revoke outstanding token approvals immediately through revoke.cash to reduce further exposure. Ekubo also noted that the affected EVM contracts are immutable by design, leaving redeployment as the only available fix for the compromised router system.

The attack reflects a wider pattern seen across decentralized finance this year. Approval-based vulnerabilities and permission flaws have repeatedly surfaced in modular DeFi protocols, especially those handling cross-chain or extension-based infrastructure.

DeFi-related losses had already surpassed $750 million before the Ekubo exploit, according to earlier reporting from The Block. April alone recorded roughly $620 million in stolen funds across nearly 30 separate incidents.

Large breaches involving Drift Protocol and Kelp DAO accounted for the majority of the month’s losses. Smaller attacks against Wasabi Protocol and Volo Protocol also added to the pressure on an already difficult year for DeFi security.