Audit log

Every state-changing event for Ekubo Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-24 23:10:18Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 428,686,843

   sig

   3Tg4CTbsnZfB…ZTqmc5Mrcopyexplorer ↗

   hash

   EPY74SjVjVju…w4Km26KQcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (17614 B) ▸

   {"actor":"system:backfill","investigation_id":"766c540c-a4ce-4c02-afb8-366643c4aaf1","kind":"publish","page_slug":"ekubo-protocol","published_at":"2026-06-24T23:10:18.735Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Ekubo Protocol","sections":[{"content":"Ekubo Protocol is a decentralized exchange (DEX) deploying a concentrated-liquidity, singleton-architecture automated market maker (AMM). The protocol was founded by Moody Salem, former lead engineer at Uniswap where he contributed to the v3 and v4 architecture. Ekubo launched on Starknet and expanded to EVM chains including Ethereum and Arbitrum via extension contracts. Uniswap Labs Ventures invested $12 million in Ekubo at a $60 million valuation. The protocol has attracted a 1.5% allocation of the STRK airdrop and backing from core Starknet teams. As of mid-2026, Ekubo holds approximately $22 million in total value locked (TVL), with roughly 83% on Starknet and 17% on Ethereum. Its capital efficiency is notable: a 30-day trading volume of approximately $855 million relative to its TVL indicates a high volume-to-TVL ratio for a DEX of its size.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Ekubo: The AMM Endgame | Starknet","type":"official","url":"https://www.starknet.io/blog/ekubo-the-amm-endgame/"},{"credibility":2,"name":"Ekubo TVL, Fees, Revenue and Volume | DefiLlama","type":"research","url":"https://defillama.com/protocol/ekubo"},{"credibility":2,"name":"RFC: Onboarding Ekubo Inc. as a core developer of Uniswap Protocol","type":"official","url":"https://gov.uniswap.org/t/rfc-onboarding-ekubo-inc-as-a-core-developer-of-uniswap-protocol/22085"}]},{"content":"On May 5, 2026 at approximately 17:50 UTC, an attacker exploited a critical access-control vulnerability in Ekubo's EVM swap router extension contracts. The root cause, identified by blockchain security firm Blockaid, was a missing payer-validation check in the IPayer.pay callback function (selector 0x599d0714, gated to msg.sender == EkuboCore). This callback, used within Ekubo's flash-accounting framework, accepted payer, token, and amount parameters from attacker-controlled payload data without verifying that the nominated payer had authorized the current transaction or matched the lock initiator. The attacker deployed a malicious callback contract at 0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd and a dispatcher contract at 0x61b0dad9628d3e644eb560a5c9b0f960430e3a75. The attack operated on Ekubo Core at 0xe0e0e08a6a4b9dc7bd67bcb7aade5cf48157d444. Across 85 separate transactions originating from attacker EOA 0xa911ff351b143634dbc5af3e204ea074583a83e3, the exploit repeatedly called the payCallback function, each iteration withdrawing 0.2 WBTC by invoking transferFrom() against the victim EOA at 0x765decf4fa157756e850c1079f60801b9219edd1, which held a pre-existing unlimited WBTC approval to the router. Ekubo Core's flash-accounting balance sheet remained net-zero throughout, as the stolen funds were used to satisfy debt obligations — meaning the protocol's accounting was satisfied while the victim bore all losses. Total losses were approximately 17 WBTC, valued at roughly $1.36–$1.4 million at the time. Affected contracts included the Ethereum V2 router, Ethereum V3 router, and Arbitrum V3 router. The Starknet core deployment, all on-chain liquidity positions, and the core AMM contracts were not affected. The stolen WBTC was converted to WETH and DAI via Velora, resulting in approximately $404,000 USDC, $403,000 DAI, and 239.5 ETH, later routed through Tornado Cash.","heading":"EVM Router Exploit — May 5, 2026","severity":"critical","sources":[{"credibility":2,"name":"WBTC Approval Drain Routed Through Ekubo Flash Accounting | DARKNAVY","type":"research","url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"credibility":1,"name":"Attackers drain $1.4M in wrapped bitcoin from DeFi protocol Ekubo in approval-based exploit | The Block","type":"news_article","url":"https://www.theblock.co/post/400189/attackers-drain-1-4m-in-wrapped-bitcoin-from-defi-protocol-ekubo-in-approval-based-exploit"},{"credibility":2,"name":"Ekubo hack drains $1.36M in 85 transactions | AMBCrypto","type":"news_article","url":"https://ambcrypto.com/ekubo-hack-drains-1-36m-in-85-transactions-are-defi-wallets-at-risk/amp/"},{"credibility":2,"name":"Ekubo exploited for $1.4 million | Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/ekubo-exploit"},{"credibility":2,"name":"Ekubo Protocol Loses $1.4M in wBTC After Attackers Exploit Access Control Flaw | Crypto Economy","type":"news_article","url":"https://crypto-economy.com/ekubo-protocol-loses-1-4m-in-wbtc/"}]},{"content":"The vulnerability is classified as a Protocol Logic / Improper Access Control exploit. The flaw resided exclusively in Ekubo's EVM extension layer, a set of immutable smart contracts deployed separately from Starknet core. Because the EVM contracts are immutable by design, redeployment of patched contracts is the only remediation path available to the protocol team. Any wallet that had ever granted an ERC-20 approval to the affected router contracts — regardless of whether a current liquidity position was held — was at risk of having its tokens drained if the attacker chose to target that wallet. The immutability of the contracts means there was no on-chain mechanism to pause or disable the vulnerable function once the exploit was live, and all remaining exposure could only be mitigated by end-user revocation of approvals. Blockaid attributed the root-cause identification to its own monitoring systems. DefiLlama formally classified the incident as a Protocol Logic attack on its historical event log.","heading":"Vulnerability Classification and Scope","severity":"critical","sources":[{"credibility":2,"name":"WBTC Approval Drain Routed Through Ekubo Flash Accounting | DARKNAVY","type":"research","url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"credibility":2,"name":"Ekubo Protocol Exploit on Ethereum Causes $1.4M Loss | Phemex News","type":"news_article","url":"https://phemex.com/news/article/ekubo-protocol-exploit-on-ethereum-causes-14-million-loss-78961"},{"credibility":2,"name":"Ekubo TVL, Fees, Revenue and Volume | DefiLlama","type":"research","url":"https://defillama.com/protocol/ekubo"}]},{"content":"Shortly after the incident, Ekubo posted an alert on X (formerly Twitter) at account @EkuboProtocol stating: 'There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected. We are investigating the scope of the issue, but to be safe revoke all outstanding approvals.' The team directed users to revoke.cash to remove all outstanding approvals tied to the three affected router contracts (Ethereum V2, Ethereum V3, and Arbitrum V3). Multiple reporting outlets noted that Ekubo committed to publishing a full technical post-mortem, though as of the date of this investigation no such document had been publicly released. Reports also indicate that Ekubo launched a refund portal for affected EVM users, though no formal compensation commitment or timeline had been publicly announced as of mid-June 2026. Because EVM contracts are immutable, affected routers cannot be patched; patched replacements would require new contract deployments and fresh user approvals.","heading":"Team Response and User Guidance","severity":"high","sources":[{"credibility":2,"name":"Ekubo on X — official security incident announcement","type":"social_media","url":"https://x.com/EkuboProtocol/status/2051754481465856038"},{"credibility":2,"name":"Ekubo Investigates Security Breach in EVM Chain Swap Router | Phemex News","type":"news_article","url":"https://phemex.com/news/article/ekubo-investigates-security-breach-in-evm-chain-swap-router-79001"},{"credibility":2,"name":"Ekubo DEX Users Drained for $1.4M in Token Approval Exploit | Bankless","type":"news_article","url":"https://www.bankless.com/read/news/ekubo-dex-users-drained-for-1-4m-in-token-approval-exploit"},{"credibility":3,"name":"Security Incident with Ekubo Swap Routing Contract | Binance Square","type":"news_article","url":"https://www.binance.com/en/square/post/05-06-2026-ekubo-swap-320061504530674"}]},{"content":"Following the theft, the attacker converted 17 WBTC into a mix of stablecoins and ETH using Velora, resulting in approximately $404,000 USDC, $403,000 DAI, and 239.5 ETH (approximately $577 ETH equivalent, valued at roughly $1.36 million at the time). The consolidated ETH was subsequently routed through Tornado Cash, an on-chain privacy mixer. The use of Tornado Cash for proceeds laundering follows a pattern common to DeFi exploits and significantly reduces the likelihood of fund recovery. No law enforcement actions or asset freezes had been reported as of mid-June 2026.","heading":"Fund Flow and Laundering","severity":"high","sources":[{"credibility":2,"name":"Ekubo hack drains $1.36M in 85 transactions | AMBCrypto","type":"news_article","url":"https://ambcrypto.com/ekubo-hack-drains-1-36m-in-85-transactions-are-defi-wallets-at-risk/amp/"},{"credibility":2,"name":"WBTC Approval Drain Routed Through Ekubo Flash Accounting | DARKNAVY","type":"research","url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"credibility":2,"name":"Ekubo exploited for $1.4 million | Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/ekubo-exploit"}]},{"content":"The exploit highlights several structural risk factors in EVM extension architectures deployed alongside non-EVM core systems. First, immutable contract design removes the ability to pause or patch in response to discovered vulnerabilities without deploying entirely new contracts. Second, the flash-accounting paradigm — where debt obligations are satisfied at the end of a transaction rather than checked at each step — can obscure unauthorized fund flows within a single transaction context. Third, the approval-based attack vector exploits a pervasive ERC-20 behavior: unlimited approvals granted once remain valid indefinitely unless explicitly revoked. The Ekubo incident is categorically distinct from a rug pull or exit scam; the development team has no alleged involvement in the theft and the Starknet core protocol continued operating normally. However, the failure to include payer-validation logic in a callback that processes external token transfers represents a significant smart-contract security oversight in a production system managing tens of millions in TVL.","heading":"Structural Risk Factors","severity":"medium","sources":[{"credibility":2,"name":"WBTC Approval Drain Routed Through Ekubo Flash Accounting | DARKNAVY","type":"research","url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"credibility":2,"name":"Ekubo Protocol Exploited for $1.4 Million in WBTC via EVM Router Vulnerability | MEXC News","type":"news_article","url":"https://www.mexc.com/news/1074312"},{"credibility":3,"name":"Real-time Invariant Monitoring: Lessons from the $1.4M Ekubo Exploit | Block Magnates","type":"research","url":"https://blog.blockmagnates.com/real-time-invariant-monitoring-lessons-from-the-1-4m-ekubo-exploit-02b99e98beb6"}]}],"sources_used":[{"credibility":1,"name":"Attackers drain $1.4M in wrapped bitcoin from DeFi protocol Ekubo in approval-based exploit | The Block","type":"news_article","url":"https://www.theblock.co/post/400189/attackers-drain-1-4m-in-wrapped-bitcoin-from-defi-protocol-ekubo-in-approval-based-exploit"},{"credibility":2,"name":"WBTC Approval Drain Routed Through Ekubo Flash Accounting | DARKNAVY","type":"research","url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"credibility":2,"name":"Ekubo exploited for $1.4 million | Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/ekubo-exploit"},{"credibility":2,"name":"Ekubo DEX Users Drained for $1.4M in Token Approval Exploit | Bankless","type":"news_article","url":"https://www.bankless.com/read/news/ekubo-dex-users-drained-for-1-4m-in-token-approval-exploit"},{"credibility":2,"name":"Ekubo hack drains $1.36M in 85 transactions | AMBCrypto","type":"news_article","url":"https://ambcrypto.com/ekubo-hack-drains-1-36m-in-85-transactions-are-defi-wallets-at-risk/amp/"},{"credibility":2,"name":"Ekubo Protocol Loses $1.4M in wBTC After Attackers Exploit Access Control Flaw | Crypto Economy","type":"news_article","url":"https://crypto-economy.com/ekubo-protocol-loses-1-4m-in-wbtc/"},{"credibility":2,"name":"Ekubo Protocol Exploited for $1.4 Million in WBTC via EVM Router Vulnerability | MEXC News","type":"news_article","url":"https://www.mexc.com/news/1074312"},{"credibility":2,"name":"Ekubo approval-based exploit drains $1.4M in wrapped bitcoin | The CC Press","type":"news_article","url":"https://theccpress.com/ekubo-approval-based-exploit-drains-1-4m-wrapped-bitcoin/"},{"credibility":2,"name":"Ekubo Investigates Security Breach in EVM Chain Swap Router | Phemex News","type":"news_article","url":"https://phemex.com/news/article/ekubo-investigates-security-breach-in-evm-chain-swap-router-79001"},{"credibility":2,"name":"Ekubo Protocol Exploit on Ethereum Causes $1.4M Loss | Phemex News","type":"news_article","url":"https://phemex.com/news/article/ekubo-protocol-exploit-on-ethereum-causes-14-million-loss-78961"},{"credibility":2,"name":"Ekubo on X — official security incident announcement","type":"social_media","url":"https://x.com/EkuboProtocol/status/2051754481465856038"},{"credibility":2,"name":"Ekubo TVL, Fees, Revenue and Volume | DefiLlama","type":"research","url":"https://defillama.com/protocol/ekubo"},{"credibility":2,"name":"Ekubo: The AMM Endgame | Starknet","type":"official","url":"https://www.starknet.io/blog/ekubo-the-amm-endgame/"},{"credibility":2,"name":"RFC: Onboarding Ekubo Inc. as a core developer of Uniswap Protocol | Uniswap Governance","type":"official","url":"https://gov.uniswap.org/t/rfc-onboarding-ekubo-inc-as-a-core-developer-of-uniswap-protocol/22085"},{"credibility":3,"name":"Real-time Invariant Monitoring: Lessons from the $1.4M Ekubo Exploit | Block Magnates","type":"research","url":"https://blog.blockmagnates.com/real-time-invariant-monitoring-lessons-from-the-1-4m-ekubo-exploit-02b99e98beb6"},{"credibility":2,"name":"Ekubo Loses $1.4 Million After Attackers Exploit EVM Swap Router Flaw | FinanceFeeds","type":"news_article","url":"https://financefeeds.com/ekubo-loses-1-4-million-after-attackers-exploit-evm-swap-router-flaw/"}],"summary":"Ekubo Protocol is a concentrated-liquidity DEX built primarily on Starknet, founded by ex-Uniswap lead engineer Moody Salem and backed by Uniswap Labs Ventures. On May 5, 2026, a missing payer-validation check in the IPayer.pay callback of its EVM swap router contracts allowed an attacker to drain approximately $1.4 million in WBTC from a single victim wallet across 85 rapid transactions, with the Starknet core deployment and liquidity providers remaining unaffected. The stolen funds were subsequently converted to ETH and routed through Tornado Cash.","timeline":[{"date":"2022-01-01","event":"Ekubo Protocol founded by Moody Salem, former lead engineer at Uniswap.","source":"Starknet Blog","source_url":"https://www.starknet.io/blog/ekubo-the-amm-endgame/"},{"date":"2024-01-01","event":"Uniswap Labs Ventures invests $12 million in Ekubo at a $60 million valuation.","source":"Uniswap Governance Forum","source_url":"https://gov.uniswap.org/t/rfc-onboarding-ekubo-inc-as-a-core-developer-of-uniswap-protocol/22085"},{"date":"2026-05-05","event":"Attacker EOA 0xa911ff351b143634dbc5af3e204ea074583a83e3 exploits missing payer validation in Ekubo EVM router IPayer.pay callback. 85 transactions drain 17 WBTC (~$1.4M) from victim 0x765decf4fa157756e850c1079f60801b9219edd1 beginning at 17:50:35 UTC in block 25030409, transaction 0x770bc9a1f7c32cb63a5002b9ceb5c7994cd3af0fc6b2309cb32d3c46f629daa0.","source":"DARKNAVY Technical Analysis","source_url":"https://www.darknavy.org/web3/exploits/wbtc-approval-drain-via-ekubo-flash-accounting/"},{"date":"2026-05-05","event":"Stolen 17 WBTC converted to approximately $404K USDC, $403K DAI, and 239.5 ETH via Velora; proceeds subsequently routed through Tornado Cash.","source":"AMBCrypto","source_url":"https://ambcrypto.com/ekubo-hack-drains-1-36m-in-85-transactions-are-defi-wallets-at-risk/amp/"},{"date":"2026-05-05","event":"Ekubo posts security alert on X, confirming active incident on EVM swap router contracts only and urging all users to revoke approvals via revoke.cash. Starknet and liquidity providers confirmed unaffected.","source":"Ekubo Protocol on X","source_url":"https://x.com/EkuboProtocol/status/2051754481465856038"},{"date":"2026-05-06","event":"The Block, Bankless, and AMBCrypto publish reporting on the exploit. Blockaid credited with root-cause identification.","source":"The Block","source_url":"https://www.theblock.co/post/400189/attackers-drain-1-4m-in-wrapped-bitcoin-from-defi-protocol-ekubo-in-approval-based-exploit"},{"date":"2026-05-06","event":"Ekubo launches refund portal for affected EVM users. Full post-mortem promised but not yet published as of mid-June 2026.","source":"Phemex News","source_url":"https://phemex.com/news/article/ekubo-investigates-security-breach-in-evm-chain-swap-router-79001"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 86d10ea0-e335-4ff2-bc56-c5bf8ba251eacopy