PANews reported on May 6th that, according to Blockaid monitoring, Ekubo Protocol's custom extension contract on Ethereum was attacked in the early hours of the morning, resulting in the theft of approximately $1.4 million. Ekubo users themselves are unaffected; only users who authorized the V2 contract as token spenders are at risk. The vulnerability stems from the `IPayer.pay` callback function of the Ekubo extension contract. The `payer`, `token`, and `amount` parameters of `token.transferFrom` directly originate from the lock payload and are controlled by the attacker. The contract does not check whether the payer is the initiator of the lock or the authorized payer. Attackers can exploit users' previous ERC-20 authorizations to the contract, routed through Core locks to the extension contract, set any authorized user as the payer, and set themselves as the withdrawal recipient, thereby stealing assets.

Previous reports indicated that a security incident occurred in Ekubo's Swap routing contract on the EVM chain, and it was recommended to revoke authorization for the relevant addresses .