- Attackers bypassed gateway validation using spoofed cross-chain messages to unlock funds.
- The exploit drained roughly $3 million from CrossCurve’s PortalV2 contract across multiple networks.
- CrossCurve identified ten recipient wallets and activated its 10% WhiteHat bounty policy.
CrossCurve, a decentralized cross-chain liquidity protocol formerly known as EYWA, has confirmed that its bridge infrastructure was exploited, leading to losses of about $3 million.
The attack adds to a substantial rise in crypto thefts. Nearly $400 million was stolen across the industry in January 2026 alone. More than 40 major security incidents were recorded during the month, according to CertiK.
Spoofed Messages Bypassed Validation
The exploit targeted a missing validation check in one of CrossCurve’s smart contracts. According to Defimon Alerts, anyone could call the expressExecute function on the ReceiverAxelar contract using a spoofed cross-chain message.
This bypassed gateway validation and triggered unauthorized token unlocks on the protocol’s PortalV2 contract. Arkham data showed the PortalV2 balance dropping from roughly $3 million to near zero around January 31, with funds drained across multiple networks.
BlockSec later estimated total losses at about $2.76 million. Roughly $1.3 million was lost on Ethereum and around $1.28 million on Arbitrum. Additional losses were recorded on Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.
The exploit mechanism resembled the Nomad bridge failure in 2022, where a flawed verification check led to a rapid drain of funds by hundreds of wallets.
Emergency Response and Wallet Identification
Following the attack, CrossCurve issued an urgent notice asking users to stop all interactions while the issue was investigated. The team later confirmed it had identified ten Ethereum addresses that received tokens originating from the exploit.
CrossCurve stated that the funds were taken due to a smart contract flaw and said it did not assume malicious intent at this stage. The protocol invoked its SafeHarbor WhiteHat policy, offering a bounty of up to 10% to any party that returns the remaining funds.
It also invited direct coordination through email or anonymous repayment to a designated wallet. But warned that if no contact is made and funds are not returned within 72 hours from block 24364392, the incident will be treated as malicious.
Escalation measures include criminal referrals, civil litigation, cooperation with centralized exchanges and stablecoin issuers to freeze assets, public disclosure of wallet data, and coordination with blockchain analytics firms and law enforcement.
Related: Truebit Protocol Hack Triggers Record Uniswap Fees Amid a 100% TRU Dump
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/crosscurve-bridge-exploited-for-3m-after-spoofed-cross-chain-messages/
