Cross-chain liquidity protocol CrossCurve has suffered a smart contract exploit that allowed attackers to drain roughly $3 million in digital assets across multiple blockchain networks.
The team confirmed the breach in a Feb. 2 post on X, urging users to pause all interactions with the protocol while engineers work to patch the vulnerability.
Spoofed cross-chain messages bypassed validation
According to initial disclosures, the exploit involved spoofed cross-chain messages that bypassed bridge validation checks. This allowed attackers to trigger unauthorized token unlocks across networks.
Blockchain security account Defimon Alerts said the flaw allowed anyone to call the expressExecute function on the ReceiverAxelar contract using forged cross-chain messages, bypassing gateway verification and triggering token unlocks on PortalV2.
Arkham Intelligence data cited by Defimon Alerts showed the balance of the PortalV2 contract dropping to near zero around Jan. 31, pointing to the moment the exploit was executed.
CrossCurve offers 10% bounty for fund return
In a follow-up statement, CrossCurve said it had identified 10 wallet addresses that received funds from the exploit. The protocol offered a 10% bounty for the voluntary return of the stolen assets, mirroring its SafeHarbor WhiteHat policy.
“We do not believe this was intentional on your part, and there is no indication of malicious intent,” the team wrote, appealing for cooperation.
CrossCurve warned that if funds are not returned within 72 hours, it will pursue legal action, including civil litigation, and coordinate with law enforcement and other projects to freeze the assets.
At the time of publication, the team had not released a full post-mortem detailing how many users were affected or the precise loss breakdown.
Curve Finance urges users to review positions
CrossCurve formerly known as EYWA Protocol operates a cross-chain DEX and consensus bridge built in collaboration with Curve Finance. The system is designed to route transactions through multiple independent validation protocols to reduce single points of failure.
Following confirmation of the exploit, Curve Finance posted a warning advising users who had allocated votes to Eywa-related pools to review their positions and consider removing votes.
The team emphasized the importance of remaining vigilant when interacting with third-party DeFi projects, particularly those involving bridges.
Second major bridge exploit in weeks
The CrossCurve attack follows another high-profile incident just weeks earlier involving the SagaEVM chain, where attackers drained approximately $7 million in bridged assets.
In that case, the Saga team paused the chain and worked with bridge operators to blacklist malicious addresses and limit further fund movement highlighting the ongoing risks facing cross-chain infrastructure.
Bigger picture
The CrossCurve exploit underscores persistent security challenges in cross-chain bridge design, which remains one of the most targeted areas in DeFi. Despite layered validation mechanisms, attackers continue to find ways to exploit message verification and execution logic.
Until a full post-mortem is released, users are advised to remain cautious and avoid interacting with affected contracts as the investigation continues.
