📰 【Security Alert: Security Vulnerability in Ekubo DEX Protocol’s EVM Chain Transaction Routing Contract】

BlockBeats reported on May 6 that the Starknet ecosystem DEX protocol Ekubo issued a security alert. It said that its transaction routing contract on the EVM chain has a security vulnerability; liquidity providers and users on Starknet are not affected. The team is currently investigating the extent of the impact, and all users are advised to immediately revoke the relevant contract authorizations. In addition, Yu Xian, founder of MistTrack, said that the Ekubo attackers used the payCallback mechanism to designate users who had previously granted the contract unlimited token authorizations as the payer, thereby calling the WBTC transferFrom function to transfer the victims’ assets away, carrying out a total of 85 operations, each time with 0...
Another contract vulnerability. Ekubo is a protocol that still has some substance on Starknet, but once it’s on the EVM chain, it falls short. The payCallback mechanism is being exploited—a classic variant of the replay attack. 85 transfers, each with only 0.something—this kind of theft is meant to prevent on-chain monitoring from noticing it right away. Are liquidity providers fine? That’s because the attacker specifically targeted ordinary users who had already granted authorizations.
$ETH The tragedy of the on-chain ecosystem is that as long as the contract is complex enough, vulnerabilities will always exist. Revoking authorizations is the only solution, but most users don’t even know what contract they’re trading. That’s why I always only use the quantitative framework I’ve personally audited.