One Unlimited Approval, 17 WBTC Gone: How Ekubo's Exploit Silently Drained Wallets Across 85 Transactions

EkuboWBTCunlimited approvalStarknetDeFi securitysmart contractwallet securityrevoke approval

It Wasn't a Smart Contract Bug—It Was the Approval You Forgot

On May 6, 2026, Starknet ecosystem DEX protocol Ekubo issued an urgent security alert: a vulnerability had been discovered in its EVM-chain transaction routing contract. Notably, liquidity providers and native Starknet users were unaffected—the victims were ordinary users who had previously granted unlimited token approvals to the contract.

SlowMist founder Yu Xian subsequently disclosed the technical details of the attack: the attacker exploited the contract's payCallback mechanism to designate users who had granted unlimited approvals as payers, then called WBTC's transferFrom function to directly drain victim assets. The attack executed 85 operations in total, each precisely extracting 0.2 WBTC. A single wallet address, 0x765DEC, suffered cumulative losses of 17 WBTC.

The payCallback Mechanism: A Common Feature, Dangerously Abused

The payCallback function is a common design pattern in DeFi protocols for handling payment callbacks—not inherently malicious. But when an attacker can designate any arbitrary address as the "payer," every user who has granted unlimited approval to that contract becomes an unwitting passive payer.

The stealth of this attack vector lies in what didn't happen: victim accounts were not directly compromised, and private keys were not stolen. It was the "Approve" button the user clicked months or years earlier that became the exploit's entry point.

Revoking Approvals Is Not Optional—It's Essential

Ekubo officially advised all users to immediately revoke relevant contract approvals and confirmed the scope of impact is still under investigation. This incident once again proves that regularly auditing and revoking wallet approvals is a baseline security practice, not an optional one.

For DeFi platforms and compliance teams, approval-abuse attacks represent an important category of on-chain risk. Trustformer KYT can detect abnormal batch transfer patterns in real time, helping platforms issue early warnings before an attack spreads and protecting user assets at scale.

About Trustformer

Trustformer is a leading blockchain security and compliance technology company specializing in providing professional risk management and compliance solutions for the global cryptocurrency ecosystem. We have developed the cutting-edge Trustformer KYT (Know Your Transaction) platform, which integrates artificial intelligence, blockchain analytics, and regulatory technology to deliver comprehensive, accurate real-time transaction monitoring, risk assessment, and suspicious activity reporting services.

With deep industry expertise and technological innovation, Trustformer is dedicated to helping Virtual Asset Service Providers (VASPs), crypto financial institutions, and investors build a safer and more transparent crypto financial environment. We believe that driving compliance and trust through technology can contribute to the thriving growth of the global digital economy.