Cruve Finance-based liquidity protocol CrossCurve said that a vulnerability in one of the smart contracts for its cross-chain bridge infrastructure has been exploited, leading to the theft of approximately $3 million in crypto assets across multiple networks.
The CrossCurve team confirmed the attack on X late on Sunday, and urged users to “pause all interactions” while the investigation is ongoing. The protocol, formerly known as EYWA, is backed by Curve Finance founder Michael Egorov and recently raised $7 million in funding.
CrossCurve, built in partnership with Curve Finance, is a cross-chain DEX and token bridge that addresses fragmented liquidity across blockchains. The platform uses a “Consensus Bridge” mechanism to create a unified, global market by aggregating Curve’s existing liquidity pools to route transactions through multiple independent validation protocols, including Axelar, LayerZero, and EYWA Oracle Network, to reduce single points of failure.
CrossCurve Hit by $3M Smart Contract Exploit
According to the X post, CrossCurve is currently under attack caused by the exploitation of a vulnerability in one of the smart contracts it uses. Blockchain security firm Decurity, the first to alert the community, discovered that anyone could call the ‘expressExecute’ function on the protocol’s ‘ReceiverAxelar’ contract with a spoofed cross-chain message to bypass gateway validation and trigger unauthorized token unlocks on the PortalV2 contract.
PortalV2 is a core component of CrossCurve, facilitating secure and reliable asset transfers across multiple blockchains. It serves as the locking mechanism on the source network, locking original tokens when users initiate a cross-chain transfer.
Meanwhile, CurveFinance posted on X asking users who allocated assets to CrossCurve pools to “review their positions and consider removing those votes.”
“We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects,” the post read.
Defimon Alerts shared data sourced from Arkham Intelligene, which showed the balance in PortalV2 dropping from approximately $3 million to near zero around January 31. Experts said the vulnerability is reminiscent of the $190 million exploit on the Nomad bridge in 2022, which saw more than 300 wallet addresses attempt to drain funds from the protocol.
Previously, CrossCurve emphasized its security architecture as a key differentiating factor, noting in its documentation that the probability of several cross-chain protocols getting hacked at the same time is “near zero.”
CrossCurve Offers 10% Bounty for Fund Return, Warns of Legal Action
Curve Finance founder Michael Egorov became an investor in the platform in September 2023, and since then, it has transformed into one of the official bridges for the leading decentralized exchange. In early 2024, Egorov raised $7 million for the project in a seed round participated by Fenbushi Capital, GBV Capital, Big Brain Holdings, Marshland Capital, and Mulana Capital, among others.
In a desperate attempt to contact the attacker, CrossCurve CEO Boris Povar shared 10 addresses he claims to have received tokens from the exploit, and offered a bounty of up to 10% if the funds are safely returned within the next 72 hours.
“These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” Povar said.
However, he warned that if “no contact is established” before the deadline, the team will assume there is “malicious intent” and consider it a “judicial matter.” CrossCurve is prepared to work with law enforcement, file civil lawsuits to recover damages, and coordinate with authorities and other crypto projects to freeze the assets if they are not returned.
