PANews May 6 news, according to Blockaid monitoring, the Ekubo Protocol's custom extension contract on Ethereum suffered an attack early this morning, with approximately 1.4 million dollars stolen. Ekubo users themselves are not affected; only users who authorized the V2 contract as token spenders are at risk. The root of the vulnerability lies in the IPayer.pay callback function of the Ekubo extension contract, where the parameters payer, token, and amount of token.transferFrom come directly from the locked payload, controlled by the attacker. The contract did not verify whether the payer was the initiator of the lock or an authorized payer; attackers could leverage users' previous ERC-20 authorization for that contract, routing through Core to the extension contract, designating any authorized user as payer and themselves as the withdrawal recipient, thereby stealing assets.

Previous news, Ekubo: A security incident occurred in the Swap routing contract of Ekubo on the EVM chain, suggesting to revoke authorization for related addresses.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。