Ekubo Protocol, a decentralized exchange built on Starknet with EVM extensions, suffered a targeted exploit resulting in the theft of approximately $1.4 million in Wrapped Bitcoin (WBTC). The attack, which took place on May 6, 2026, exploited an access control vulnerability in the protocol’s EVM swap router contracts.
Blockchain security firm Blockaid identified the root cause as a flawed payment callback mechanism within the v2 EVM extension contracts. The vulnerable contracts accepted payer, token, and amount parameters from attacker-controlled data without verifying that the payer had authorized the transaction. This allowed bad actors to drain funds from wallets that had previously granted token approvals to the router.
The attacker executed the theft across roughly 85 rapid transactions. The primary victim lost around 17 WBTC, which was promptly converted to WETH and DAI. On-chain data from security monitors like Cyvers confirmed the movement. Ekubo’s team responded quickly, alerting users and urging them to revoke outstanding approvals via revoke.cash. Importantly, the protocol’s core Starknet deployment and its broader liquidity base remained unaffected, as the vulnerability was limited to the EVM router.
Ekubo’s EVM contracts are immutable, so a patched redeployment will be necessary. No further losses had been reported at publication time. The incident adds to a brutal year for DeFi security, with 2026 losses already surpassing $750 million prior to this event.
