Same Vulnerability Class, Happening Again
According to monitoring by Blockaid, Ekubo Protocol's extension contract deployed on Ethereum was exploited again, with losses of approximately $1.4 million. The attack targeted Ekubo's V2 contract and affected users who had previously granted ERC-20 token approvals to the contract—native Ekubo users and liquidity providers were unaffected.
The technical pathway of this attack closely mirrors the earlier Ekubo incident on Starknet, with the root cause again pointing to missing identity verification in a contract callback function.
The Core Flaw: IPayer.pay Callback Did Not Verify Payer Identity
Specifically, the attacker exploited a design flaw in the contract's IPayer.pay callback function—this function failed to perform effective identity verification on the payer when executing payment logic.
The attacker designated user addresses holding valid ERC-20 approvals as payers, triggered the callback through the Core router, and called the transferFrom function to transfer victim assets without any active input from the user. The entire process was completely invisible to victims—until their assets were gone.
Once Granted, Approvals Carry Risk Indefinitely
This incident, together with the $5.87 million approval attack disclosed by CertiK on the same day, delivers a dual warning to the DeFi security space this week: once a contract approval is granted, the risk persists long after the original interaction ends.
Blockaid recommends that all users who have previously granted approvals to the Ekubo V2 contract immediately check and revoke relevant permissions using an approval management tool. For platform operators, establishing real-time monitoring of abnormal callback patterns and batch approval calls is now urgent. Trustformer KYT provides granular on-chain transaction behavior analysis, effectively identifying early signals of approval-abuse attacks and helping users and platforms compress the loss window to its shortest possible duration.