Cross-chain liquidity protocol CrossCurve has been hit by a smart contract exploit, with attackers draining roughly $3 million across multiple networks.
The protocol confirmed the breach in a Feb. 2 post on X, saying the exploit involved spoofed cross-chain messages that bypassed bridge validation. Users were urged to pause all interactions until the vulnerability is patched.
CrossCurve has offered a 10% bounty—around $300,000—for the return of the stolen funds. In a follow-up, the team identified 10 addresses that received tokens from the exploit and appealed to the attackers:
“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds.”
If the funds are not returned within 72 hours, CrossCurve plans to pursue legal action, including civil litigation and coordination with law enforcement and other projects to freeze assets.
Security firm Defimon Alerts said the exploit worked because anyone could call expressExecute on the ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlocks on PortalV2. Arkham Intelligence data showed the PortalV2 balance dropped to near zero around Jan. 31.
CrossCurve, formerly known as EYWA Protocol, operates a cross-chain DEX and consensus bridge in collaboration with Curve Finance, routing transactions through multiple independent validators to reduce single points of failure.
Curve Finance also warned users:
“Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes. Remain vigilant and make risk-aware decisions when interacting with third-party projects.”
This is the second major exploit in recent weeks, following the SagaEVM chain breach, which saw roughly $7 million lost in bridged assets. Saga had to pause its chain and blacklist addresses to limit further losses.
