PANews|5月 06, 2026 01:41
[Blockaid: Ekubo has lost approximately $1.4 million in an attack incident]
According to monitoring by Blockaid, the Ekubo Protocol's custom extension contract on Ethereum was attacked in the early hours, resulting in the theft of approximately $1.4 million. Ekubo users themselves are not affected; only users who authorized the V2 contract as a token spender are at risk.
The vulnerability stems from the IPayer.pay callback function in Ekubo's extension contract, where the `payer`, `token`, and `amount` parameters of `token.transferFrom` are directly derived from the locked payload and controlled by the attacker. The contract does not verify whether the `payer` is the initiator of the lock or an authorized payer.
Attackers can exploit prior ERC-20 authorizations granted by users to this contract, route the lock through the Core to the extension contract, designate any authorized user as the `payer`, and set themselves as the withdrawal recipient, thereby stealing assets.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink