Cross-chain liquidity protocol CrossCurve has confirmed a major smart contract exploit that drained approximately $3 million worth of tokens across multiple blockchain networks, prompting the team to pause operations and urge users to halt interactions while the situation is investigated.
Decentralized liquidity protocol CrossCurve, formerly known as Eywa, announced on Monday that its bridge infrastructure was compromised through a vulnerability in its smart contracts, resulting in an exploit that drained about $3 million in assets across interconnected networks. The team posted an urgent advisory on X warning users to pause all interactions with the protocol as they assess the impact and work toward remediation.
Security analysts identified the attack vector as a flaw in the ReceiverAxelar contract, which failed to properly validate incoming cross-chain messages. This allowed attackers to submit spoofed cross-chain messages that bypassed gateway validation checks, triggering unauthorized token unlocks on the bridge’s PortalV2 contract without proper verification. On-chain data shows the contract balance collapsing from roughly $3 million to near zero during the exploit.
In its communication, CrossCurve noted that several user addresses received tokens that were “wrongfully taken” due to the smart contract bug and asked for cooperation in returning funds. The platform has publicly identified ten Ethereum addresses that received misdirected tokens and stated that there is no clear indication of malicious intent for some recipients, framing the situation as a technical exploit rather than an outright theft.
Validation bypass in cross-chain messages highlights ongoing risks for DeFi bridges
To incentivize recovery, the protocol’s Safe Harbor Responsible Disclosure Policy offers a 10% bounty for white-hat hackers who assist in returning the exploited funds within a 72-hour window. The remaining 90% of recovered assets must be sent to a designated recovery address shared by the team.
If no cooperation is forthcoming, CrossCurve has outlined escalation measures including possible civil and criminal action, cooperation with major exchanges such as Coinbase and Binance, stablecoin issuers, and on-chain analytics firms like Chainalysis, TRM Labs and Elliptic to trace and potentially immobilize the stolen funds.
The exploit underscores persistent security challenges for cross-chain bridges in DeFi, which, despite often relying on multi-layered validation mechanisms through protocols like Axelar and LayerZero, can still be vulnerable to fundamental validation bypass flaws.
The exploit underscores persistent security challenges for cross-chain bridges in DeFi, which, despite often relying on multi-layered validation mechanisms through protocols like Axelar and LayerZero, can still be vulnerable to fundamental validation bypass flaws.
