Ekubo Protocol's custom extension contract was attacked, resulting in a loss of approximately 1.4 million dollars

According to the security agency Blockaid (@blockaid_), the Ekubo Protocol is currently experiencing ongoing attacks on a v2 custom extension contract on Ethereum, resulting in a loss of approximately $1.4 million.

The root cause of the attack lies in the fact that the IPayer.pay callback of this extension does not effectively restrict the source of the parameters, allowing attackers to control the payer, token, and amount parameters, thereby arbitrarily transferring authorized tokens. Users of the core Ekubo protocol are not affected, but users who have authorized this v2 contract as a token spender face direct risks. Blockaid recommends that relevant users immediately revoke their authorization.