TechFlow News: On May 6, security firm Blockaid (@blockaid_) reported that Ekubo Protocol’s v2 custom extension contract on Ethereum is under an ongoing attack, resulting in losses of approximately $1.4 million so far. The root cause lies in the IPayer.pay callback function within this extension, which fails to properly restrict the origin of its parameters—enabling attackers to fully control the payer, token, and amount parameters and thereby arbitrarily transfer authorized tokens.
Users of Ekubo’s core protocol remain unaffected; however, users who previously authorized the v2 contract (0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd) as a token spender face direct risk. Blockaid advises affected users to revoke their approvals immediately.
Add to Favorites
Share to Social Media
