News linked to both this project and an event.
According to security firm Blockaid (@blockaid_), Ekubo Protocol’s v2 custom extension contract on Ethereum is under an ongoing attack, resulting in losses of approximately $1.4 million so far. The root cause lies in the IPayer.pay callback within this extension, which fails to properly restrict the origin of its parameters—enabling attackers to control the payer, token, and amount parameters and thereby arbitrarily transfer authorized tokens. Users of Ekubo’s core protocol remain unaffected; however, users who have authorized the v2 contract (0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd) as a token spender face direct risk. Blockaid recommends that affected users immediately revoke their approvals.
慢雾创始人余弦于 X 平台发文表示,“Ekubo 有关合约被恶意利用。原因是如果用户之前将相关代币授权给:0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd;如这位用户 0x765DEC 的这笔 WBTC 无限授权(158 天前):攻击者可指定已授权用户作为 payer,在 payCallback 中让该合约调用 WBTC transferFrom(victim, Ekubo Core, amount),再通过 Ekubo Core(0xe0e0e08A6A4b9Dc7bD67BCB7aadE5cF48157d444) 的 withdraw/pay 平账流程把资产转给攻击者。这个操作执行了 85 次,每次 0.2 WBTC,最终用户 0x765DEC 损失 17 WBTC。建议用户尽快安装官方提醒检查以下合约授权:0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd (V2)0x4f168f17923435c999f5c8565acab52c2218edf2 (V3)Arbitrum: 0xc93c4ad185ca48d66fefe80f906a67ef859fc47d (V3)。”
Ekubo Protocol officially stated on the X platform that an active security incident has been identified in the Ekubo Swap Router contract on EVM chains. The impact is limited to EVM chains, with LPs unaffected; Starknet is also unaffected. The team is investigating the scope of the issue, but as a safety precaution, users are advised to revoke all approvals.