DeFi protocol Ekubo suffered a $1.4 million wrapped bitcoin drain after attackers exploited an approval-based weakness linked to its v2 contract. Blockchain security firm CertiK said the attack targeted user token approvals rather than Ekubo’s core liquidity.
According to CertiK, the attacker abused a flaw in the IPayer.pay callback. This allowed them to control key details such as the payer, token, and amount. As a result, the attacker transferred tokens that users had already approved for the v2 contract.
However, CertiK said Ekubo’s core protocol users were not impacted. The main risk applies to users who approved the v2 contract as a token spender.
Why Token Approvals Remain a DeFi Risk
Token approvals are a common part of decentralized finance. When users interact with DeFi apps, they often allow smart contracts to move certain assets from their wallets.
This setup makes transactions easier. However, it can also create serious risks when permissions stay active for too long.
Approval-based exploits often target:
- Old smart contract permissions
- Unlimited token approvals
- Wallets connected to inactive DeFi apps
- Contracts with weak callback logic
- Tokens with large approved balances
Wrapped bitcoin, or wBTC, remains a valuable target because it brings Bitcoin liquidity into DeFi. Traders use it for lending, borrowing, yield farming, and margin trading. Therefore, any approved wBTC balance can attract attackers.
Users Urged to Review Ekubo v2 Approvals
The Ekubo exploit adds to a long list of DeFi security incidents. ChainSec’s tracker listed 191 DeFi exploit cases by April 30, with reported losses above $6.1 billion.
For users, the next step is clear. They should review wallet permissions and revoke any unnecessary approvals, especially those linked to Ekubo’s v2 contract.
For DeFi teams, the incident sends another warning. Audits and strong core contracts are important, but they are not enough. Callback design, spender permissions, and connected contract logic can still become weak points.
