Blockaid: Ekubo has lost approximately $1.4 million in the attack.

CoinFeed reported on May 6th that, according to Blockaid monitoring, Ekubo Protocol's custom extension contract on Ethereum was attacked in the early hours of the morning, resulting in the theft of approximately $1.4 million. Ekubo users themselves are unaffected; only users who authorized the V2 contract as token spenders are at risk. The vulnerability stems from the `IPayer.pay` callback function of the Ekubo extension contract. The `payer`, `token`, and `amount` parameters of `token.transferFrom` directly originate from the lock payload and are controlled by the attacker. The contract does not check whether the payer is the initiator of the lock or the authorized payer. Attackers can exploit users' previous ERC-20 authorizations to the contract, routed through Core locks to the extension contract, set any authorized user as the payer, and themselves as the withdrawal recipient, thereby stealing assets.