53 Seconds, 85 Transactions: How the Ekubo Router Exploit Siphoned $1.4M in Wrapped Bitcoin

The decentralized exchange Ekubo, established upon the Starknet platform, suffered a loss of approximately $1.4 million in Bitcoin within a mere fifty-three seconds. Orchestrating a relentless sequence of 85 transactions, the assailant incrementally exfiltrated 17 WBTC in diminutive portions. While the project’s core infrastructure remained inviolate, the breach underscored the profound perils associated with antiquated wallet permissions.

The Ekubo team disclosed an ongoing security incident involving an exchange router designed for Ethereum Virtual Machine (EVM) compatible networks. Developers clarified that liquidity providers were unaffected and the Starknet network continues to operate normally. Users were urgently requested to rescind previously granted authorizations for several contract addresses across the Ethereum and Arbitrum networks.

The catalyst for the assault was a payer verification flaw within the custom extensions of the V2 router. The perpetrator exploited callback mechanisms alongside an indefinite WBTC allowance previously granted by the wallet owner to the contract. Eschewing a singular, conspicuous maneuver, the adversary siphoned 0.2 WBTC per transaction until the entirety of the funds was drained.

Security specialists observe that such offensives are becoming increasingly prevalent; in most instances, complex zero-day vulnerabilities are no longer a prerequisite for success. It often suffices to identify a dormant token allowance granted to an obsolete or susceptible contract.

The incident further elucidated the risks inherent in porting projects from Starknet into the Ethereum ecosystem. Although the primary Starknet network remained secure, the EVM expansion inherited the prototypical vulnerabilities of the EVM landscape, including the subversion of callbacks and permission-based exploits.

To obfuscate their trail, the hacker employed the RAILGUN service before swiftly deploying a malicious contract, swapping assets via Velora, and finally exfiltrating the proceeds through Tornado Cash. This methodology facilitates the rapid laundering of digital assets and complicates the tracing of purloined funds.

According to the CoinXtreme community, losses from assaults on DeFi projects exceeded $600 million in April alone. Amidst such monumental breaches, the Ekubo incident appears relatively modest; nevertheless, experts designate such attacks as particularly hazardous due to their simplicity and formidable efficacy.