CrossCurve Bridge Exploit Drains About $3 Million After Smart Contract Flaw

CrossCurve, a cross-chain liquidity and trading protocol, has confirmed that its bridge infrastructure was exploited in an attack that drained roughly $3 million across several blockchain networks. The incident stems from a vulnerability in one of the project’s smart contracts, which allowed attackers to unlock funds using spoofed cross-chain messages.

The project acknowledged the breach on Sunday, urging users to immediately stop interacting with the protocol while the issue is investigated.

“Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a public statement.

Security researchers quickly traced the issue to a gateway validation bypass in CrossCurve’s ReceiverAxelar contract. According to blockchain security account Defimon Alerts, the flaw allowed anyone to call a function known as expressExecute with a fabricated cross-chain message. By doing so, attackers were able to bypass the intended validation checks and trigger unauthorized token releases from the protocol’s PortalV2 contract.

On-chain data supports the findings. Information from Arkham Intelligence shows the PortalV2 contract’s balance falling from about $3 million to nearly zero around January 31, with losses spread across multiple networks.

The exploit has drawn comparisons to the high-profile Nomad bridge hack in 2022, which resulted in roughly $190 million in losses after attackers discovered a similar weakness and rushed to drain funds. Commenting on the parallels, security expert Taylor Monahan said that it was surprising to see such issues persist years later.

CrossCurve, previously known as EYWA Protocol, operates a cross-chain decentralized exchange and a so-called “Consensus Bridge” developed in collaboration with Curve Finance. The system was designed to route transactions through several independent validation layers, including Axelar, LayerZero, and the project’s own EYWA Oracle Network, with the goal of reducing reliance on any single point of failure.

The protocol has previously highlighted this architecture as a key security advantage, even stating in its documentation that the chances of multiple cross-chain systems failing at the same time were extremely low. The project has attracted notable backing, including investment from Curve Finance founder Michael Egorov in 2023, and has said it raised $7 million from venture capital firms.

In response to the incident, Curve Finance issued its own warning, advising users with exposure to Eywa-related pools to review their positions and consider removing votes if necessary. The platform emphasized the importance of caution when interacting with third-party protocols.

As CrossCurve works to assess the damage and address the vulnerability, the incident serves as another reminder of the risks associated with cross-chain infrastructure, even for projects built with layered security models. For users and developers alike, the episode underscores the need for continued vigilance as cross-chain activity grows.