Ekubo is dealing with an active security incident tied to its swap router contracts on EVM chains, with early reports placing the loss near 17 WBTC, or about $1.38 million at current Bitcoin-linked prices. The core warning for users is narrow but urgent: anyone with active approvals to the affected router contracts should revoke permissions.
The incident appears to have targeted prior token approvals rather than liquidity held directly inside Ekubo’s core market structure. Ekubo’s warning specified EVM chains, while liquidity providers and Starknet users were not affected. StarkWare also reinforced that Starknet was not part of the router incident.
The affected approvals matter because ERC-20 permissions can remain live long after a user finishes a swap. If a spender contract becomes unsafe, a past approval can become an attack path even if the user is not actively trading at the time.
Early technical analysis from Phalcon points to insufficient access control in a closed-source router or wrapper contract beginning with 0x8ccb1f. The reported exploit path allowed the attacker to enter the Core lock flow, withdraw WBTC, then repay the debt using a victim’s existing token approval through payCallback and transferFrom.
In plain terms, the attacker did not need to compromise the victim’s private key. The risk came from a contract flow that could use an existing approval to pull WBTC from an approved wallet. SlowMist-linked reporting described 85 separate operations of 0.2 WBTC each, adding up to 17 WBTC from one affected user address.
That structure makes the incident especially sensitive for DeFi users who leave unlimited approvals active across routers, aggregators, and trading interfaces. A wallet can look untouched until a vulnerable or misconfigured contract path turns old permissions into spendable access.
The fastest defensive step is approval revocation for affected Ekubo router contracts. Revoke.cash listed the Ekubo hack as a $1.4 million approval-related exploit affecting Ethereum and Arbitrum, while its approval checker lets users inspect and cancel active token permissions across EVM networks.
That risk model fits a broader DeFi security pattern. Token approvals make swaps and app interactions easier, but unused permissions create a standing attack surface. Recent Ethereum smart-contract incidents have also shown how approvals, arbitrary calls, vault permissions, and access-control gaps can turn small code paths into liquid losses.
Ekubo’s postmortem will decide which details become final, including the full affected contract list, whether any additional users were hit, and what remediation follows. The confirmed user action is already clear: active approvals to the impacted EVM routers are the live risk surface, and every delayed revocation gives the same contract permissions more time to become a second loss instead of a closed incident.
The post Ekubo Router Exploit Drains 17 WBTC As Users Rush To Revoke Approvals appeared first on Crypto Adventure.
