Attackers steal $1.4M wBTC from Ekubo via approval flaw

Attackers drained about $1.4 million in wrapped Bitcoin (wBTC) from Ekubo, a decentralized finance protocol, in a recent on-chain exploit. On-chain traces show attackers executed unauthorized transfer calls that moved the protocol’s wBTC into attacker-controlled addresses.

The breach targeted the token approval mechanism used by ERC-20 tokens. That mechanism allows a contract or address to authorize another party to move tokens on its behalf. According to the traces, a weakness in Ekubo’s approval logic let attackers call transferFrom and withdraw the protocol’s wBTC balances.

Security researchers monitoring the blockchain calculated the stolen amount at roughly $1.4 million in wBTC. The funds were routed through a small number of wallets soon after the transfers. There is no public sign the tokens have been returned.

Approval vulnerabilities can occur when a contract grants a spender permission without enforcing conditions, or when a function allows setting or reusing allowances improperly. Because smart contracts are immutable, a protocol can only change behavior if it previously built in a pause function or administrative controls.

Ekubo’s team has not published a detailed incident report at the time of reporting. Responses commonly taken in similar cases include pausing vulnerable contracts, engaging blockchain security firms, notifying exchanges and law enforcement, and seeking cooperation from centralized services to freeze or recover funds.

Users interacting with DeFi protocols are advised to review and revoke unnecessary token allowances in their wallets and to limit approvals to the amounts needed for specific transactions. Developers are advised to audit approval handling, minimize privileged functions, and consider nonce-based or permit patterns to reduce approval-related risks.