# Ekubo DEX Users Drained for $1.4M in Token Approval Exploit

*Author: Jack Inabinet*
*Published: May 6, 2026*
*Source: https://www.bankless.com/es/read/news/ekubo-dex-users-drained-for-1-4m-in-token-approval-exploit*

---

Ekubo DEX users lost $1.4M WBTC yesterday after attackers exploited a flaw in its EVM swap router, highlighting the ever-present risk of stale token approvals.

### What's the Scoop?
- **Approval Exploit:** Attackers drained ~$1.4M in wrapped bitcoin (WBTC) from Ekubo users' wallets by exploiting a flaw in its EVM swap router contracts. The malicious actors executed approximately 85 draining transactions in quick succession before [laundering](https://x.com/CyversAlerts/status/2051761027612655711?s=20) ill-gained proceeds through Tornado Cash. One single victim lost 17 WBTC, comprising the bulk of the losses.
- **Core Systems Safe:** The exploit was isolated to Ekubo's router contracts and did not impact Starknet contracts, leaving the exchange's liquidity providers and primary deployment unaffected. Ekubo has [advised](https://x.com/EkuboProtocol/status/2051754481465856038?s=20) the revocation all outstanding approvals (particularly for Ethereum V2/V3 and Arbitrum V3 users) and is working toward the publication of an attack post mortem.

### What's the Take?
The Ekubo hack adds another data point highlighting the prevalence of onchain risk. As my colleague William Peaster [wrote](https://www.bankless.com/read/how-i-stay-safe-in-defi) last week, revoking stale token approvals (especially of the unlimited variety) is one of the best and easiest ways to protect yourself from exploits.

> There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected.We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: [https://t.co/9vHDLVjQWP](https://t.co/9vHDLVjQWP)— Ekubo (@EkuboProtocol) [May 5, 2026](https://twitter.com/EkuboProtocol/status/2051754481465856038?ref_src=twsrc%5Etfw)