Key Highlights
- CrossCurve’s cross-chain bridge exploit drained about $3 million after attackers bypassed smart contract validation.
- The protocol paused operations and offered a 10% bounty for fund recovery within 72 hours, while Curve warned users to review exposure.
- The incident highlights ongoing security risks in cross-chain bridges, a major source of repeated crypto losses.
Cross-chain crypto protocol CrossCurve has confirmed that its bridge was exploited in a smart contract attack, resulting in the loss of approximately $3 million across multiple blockchain networks.
The incident, disclosed late Sunday, once again underscores the persistent security risks surrounding cross-chain bridges, one of the most vulnerable components in decentralized finance (DeFi).
CrossCurve announced on X that its bridge was “under attack,” citing the exploitation of a vulnerability in one of the smart contracts used for cross-chain operations. The protocol immediately urged users to suspend all interactions as the team works on the breach.
Blockchain security analysts later confirmed that the exploit allowed attackers to bypass critical validation checks and unlock tokens without proper authorization.
What happened and how the attack worked
According to Defimon Alerts, shared by blockchain security company Decurity, the attacker used a vulnerability that enabled anybody to spoof a cross-chain message.
The vulnerability existed in a smart contract linked to CrossCurve’s Axelar-based receiver system. The attacker reportedly called a function called expressExecute on the ReceiverAxelar contract with a forged message.
This bypassed gateway validation and triggered token unlocks on the PortalV2 contract. As a result, assets were released without backing, allowing the attacker to drain funds across several networks.
Defimon Alerts estimated total losses at around $3 million, though the final figure may change as investigations continue. At the time of writing, CrossCurve has not released a complete breakdown of affected assets or chains.
Response from CrossCurve and Curve Finance
In an effort to recover the stolen funds, CrossCurve CEO Boris Povar publicly shared 10 wallet addresses believed to have received assets from the exploit. He offered a bounty of up to 10% if the funds are returned within 72 hours, a practice commonly referred to as a “white hat” reward.
According to Povar, in case of no contact within the given time frame, CrossCurve will consider the incident as malicious and seek legal alternatives. These include working with law enforcement, filing civil lawsuits, and coordinating with other crypto projects to freeze funds where possible.
Curve Finance that has collaborated with CrossCurve also released a statement that urged users who had invested their votes in CrossCurve pools to reevaluate their hold. The Curve team insisted on the need to be risk-conscious in making decisions when dealing with third-party protocols.
Why this matters for the crypto industry
Cross-chain bridges have long been a major attack surface in crypto. Over the past few years, bridge exploits have accounted for billions of dollars in losses.
High-profile incidents include the Ronin Bridge hack, the Wormhole exploit, and the Nomad bridge failure, all of which involved flaws in message verification or validation logic.
The CrossCurve incident is another case of a well-known pattern of a small error in validation code resulting in a massive loss of assets within a few days. Such incidents still bring questions to regulators, investors and developers regarding security assumptions of cross-chain systems.
Related security trends and recent attacks
The broader threat landscape is also evolving. In a recent case, cybersecurity researchers at ReversingLabs uncovered malware hidden inside Ethereum smart contracts.
The hackers exploited the Node Package Manager (NPM) with counterfeit JavaScript packages to covertly extract malicious commands out of the blockchain to enable malware to bypass the usual security checks.
Collectively, these events indicate that attackers are becoming more likely to take advantage of the trust and transparency of blockchain infrastructure itself, and not necessarily by using overtly malicious activity.
How users can stay safe
To the users, the CrossCurve exploit is yet another reminder that there is real risk to interacting with DeFi protocols. Security experts suggest not using new bridges or those with a low audit, exposure to cross-chain products, and keeping a close eye on the announcements of protocols.
Possible losses can also be minimized by using hardware wallets, not signing blind contracts, and diversifying assets in platforms.
As investigations into the CrossCurve exploit continue, the incident reinforces a central reality of decentralized finance: innovation often moves faster than security, and users remain the final line of defense.
Also Read: Makina Finance Hacked: MEV Bot Snipes 1,299 ETH in $4M Protocol Exploit