The vulnerability sat inside Ekubo's EVM v2 swap router, a contract the Starknet-native decentralized exchange deployed to let users on EVM-compatible chains access its liquidity. Security firm Blockaid identified the root cause: the router failed to check whether the party triggering a payment callback was actually authorized to initiate that payment. The gap allowed an attacker to call the standard ERC-20 transferFrom function directly, pulling tokens out of any wallet that had previously granted the contract a spending allowance. Only users who had set those approvals were exposed. Starknet-side liquidity providers and the core protocol on Starknet were not touched.

After draining the WBTC, the attacker converted the funds into WETH and DAI. This is a classic laundering step: WBTC is highly traceable, and converting it into more fungible assets such as WETH and DAI obscures the trail while reducing slippage risk on exit.

On-chain analyst @Dogetoshi flagged the movement shortly after it occurred.

Ekubo's team confirmed the incident in a public statement and told users to revoke all outstanding approvals on the v2 contract immediately, pointing them to Revoke.cash as a remediation tool.

---

"There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected. We are investigating the scope of the issue, but to be safe revoke all outstanding approvals."

---

What Went Wrong

Ekubo is built natively on Starknet, Ethereum's ZK-rollup scaling layer, where it operates as a concentrated liquidity AMM (a type of exchange that lets users set price ranges for their liquidity). Its EVM contracts function as stateless routers, meaning they handle swap routing without storing protocol state. That design allows redeployment after a problem, though redeployment means launching a new, clean contract and does not mean stolen funds are recoverable. Because Ethereum contracts are immutable once deployed, the compromised v2 router itself cannot be patched retroactively.

The protocol underwent a competitive security audit through Code4rena in November 2025, which covered Ekubo's Starknet contracts. Whether the EVM v2 router fell within that audit's scope has not been confirmed; if it did not, the router may have gone live without an equivalent review of its own.

Blockaid described the failure plainly: "The vulnerability arises from the contract's failure to verify if the payer is the lock initiator or an authorized payer during payment callbacks."

---

Market Reaction

The EKUBO token fell roughly 30 to 33 percent in the 24 hours following disclosure, hitting an all-time low of $0.3421 on May 5. The token's all-time high was $7.64, placing the current price approximately 88 percent below that peak. Broader markets moved in the opposite direction during the same window, with ETH gaining around 1.16 percent.

---

Broader Context: A Damaging Year for DeFi Security

The Ekubo incident arrives during what has been a particularly costly stretch for decentralized finance. Estimated losses from DeFi exploits in 2026 have already exceeded $400 million through April, with Kelp DAO (roughly $292 million) and Drift Protocol (roughly $285 million) accounting for the largest share. Volo Protocol lost $3.5 million just weeks before the Ekubo attack.

Approval-based exploits are a recurring pattern this year. SwapNet/Matcha Meta lost $13.4 million in an identical authorization abuse attack in January 2026. Aperture Finance lost $3.67 million in a related incident during the same month.

Revoking unused token permissions, a practice known as approval hygiene, remains one of the simplest defenses available to retail users and is widely overlooked. Tools like Revoke.cash, which supports Ethereum and more than 100 EVM networks, make the process straightforward regardless of which chain a user has been active on.

---

Regional Stakes: Starknet's African Expansion

The timing carries particular weight for developers in Africa. StarkWare, the company behind Starknet, operates a $4 million venture fund targeting early-stage blockchain startups across Nigeria, Ghana, East Africa, and Francophone West and Central Africa, with a focus on teams intending to build on Starknet.

While the exploit hit only Ekubo's EVM layer and left Starknet infrastructure intact, an attack on the network's flagship AMM introduces reputational friction at a moment when African blockchain builders are actively seeking international investment. Starknet has publicly positioned Ekubo as "the AMM endgame," making the protocol central to the network's credibility in the region.

African blockchain startups already capture only about 1.8 percent of global venture funding (as of H1 2024), and security incidents in prominent Starknet protocols are unlikely to help that figure. Developers and community members in the region can connect through the Starknet Africa community at starknet.africa, an active touchpoint for builders navigating the ecosystem.

The implications extend beyond Africa. India, Pakistan, and Bangladesh are among the most active retail DeFi participants globally, where mobile-first crypto adoption often prioritizes speed over security review. DAI, one of the assets the attacker converted the stolen funds into, is particularly significant for South Asian users who rely on it to hedge against local currency volatility, making awareness of approval risks especially important in those markets.

For developers across both regions who are actively learning EVM-based tooling, the Ekubo case illustrates a structural point: a protocol audited and secured on one chain cannot assume that security carries over automatically when it deploys router contracts on a different chain. Cairo, Starknet's smart contract language, and Solidity, the language used for EVM contracts, have distinct security paradigms. EVM wrappers and bridge contracts require their own full audit cycles.

Any users who interacted with Ekubo's EVM router and have not yet revoked their approvals should do so at Revoke.cash without delay.