HIGHEthereumMissing Access ControlMONITORING

Ekubo Locker

Defimon-style Telegram alert: Ekubo v2 locker trusted a user-supplied from address in packed lock instructions, allowing repeated WBTC drains from an approved EOA.

Loss

$1.38M

Risk

User approval drain risk

Confidence

88%

Instant Forensic Report · x402 on Solana

Unlock the full AI-generated breakdown

Pay once with SOL via x402 — the machine-to-machine payment protocol on Solana. Full wallet trace, fund flow graph, exploit PoC, and PDF export unlocked instantly.

HTTP 402 · x402 Protocol

Full wallet flow graph

Exploit PoC breakdown

Fund tracing report

PDF export + API

Free in 24h

x402 · HTTP 402 payment required · Solana Mainnet · Demo mode

AI Generated Breakdown

Reporter Agent synthesis with forensic confidence scoring

Attack explanation

The attacker repeatedly called Core.lock with packed operations that withdrew WBTC to the attacker while payCallback transferFrom used a victim-controlled from address embedded in calldata.

Root cause analysis

The locker trusted the from address supplied in the instruction payload instead of binding payment source to authenticated execution context.

confidence score

User approval drain risk

Wallet Flow Visualization

Attacker path, bridge transfers, token drains, mixer usage

interactive graph

Attacker Wallet 7bF...9Qx

Token Drains $42.1M

Bridge Transfer SOL -> ETH

Mixer Usage 6 hops

CEX Deposit Tagged

Dormant Wallet Watching

Technical Breakdown

Attack vector

Packed instruction payload with untrusted from address

Vulnerability

Missing access control and unsafe transferFrom source validation

Affected contracts

0x770bc9a1f7c32cb63a5002b9ceb5c7994cd3af0fc6b2309cb32d3c46f629daa00x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd0x765decf4fa157756e850c1079f60801b9219edd1

Mitigation suggestions

Bind payCallback from address to authenticated caller or signed context

Reject user-supplied payment sources unless explicitly authorized

Detect repeated debt-balanced lock cycles from the same router allowance

Emergency Bridge

Move funds off Ethereum

Powered byLI.FI

If your assets are at risk on Ethereum, bridge them to a safer chain immediately via LI.FI — the cross-chain aggregator covering 60+ chains and all major Solana bridges.

From (at risk)

Ethereum

Bridge to

Best Route via LI.FI

Ethereum → Ethereum

Mayan Swift • Across • Glacis aggregated

Est. Fee

~$0.50

Open LI.FI Bridge

60+ chains · gasless swaps on Solana · Jito bundles

60+

Chains

$2B+

Volume

20+

Bridges

Exploit Timeline

00:00

Suspicious activity begins

NullTrace Scout Agent detects abnormal account, wallet, or market behavior.

00:19

Exploit pattern classified

Analyst Agent matches the activity against known Web3 attack signatures.

00:41

Funds movement traced

Forensics Agent clusters wallets, bridge routes, exchange hops, and mixer exposure.

01:12

Response tracked

Protocol actions, freezes, recovery updates, and public statements are added to the dossier.

Related Tweets

Demo X/Twitter integration for researcher posts, warnings, and fake-info checks

related tweets demo scan

NullTrace links social posts to the incident by contract mentions, protocol name, researcher credibility, and fake-loss detection tags.

Defimon Alerts

@DefimonAlerts · May 5

Warning

Ekubo.org loss $1.38M. Missing access control: payCallback trusted from address in packed instruction calldata.

NullTrace Intel

@nulltrace_ai · 4m

Confirmation

On-chain behavior and public reports are aligned. Confidence raised after wallet clusters matched the incident pattern.

Maya Chen

@maya_sec · 7m

Researcher

The important signal is not only the drain. Watch the staging wallets and the small test transactions before the main move.

Rumor Watch

@intel_filter · 10m

Fake Info Flag

Unverified recovery claims are circulating. No confirmed full recovery unless the protocol or tracked wallet flows support it.

suppressed by misinformation filter