CrossCurve Suffers $3M Cross-Chain Hack Linked to Validation Bypass
CrossCurve, a cross-chain liquidity protocol formerly known as EYWA, suffered a $3 million loss later than a vulnerability in one of its was exploited. The incident affected its bridge infrastructure, allowing unauthorized withdrawals across multiple blockchain networks.
In an official , the protocol warned users
“Dear users, Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used. Please pause all interactions with CrossCurve while the investigation is ongoing. We appreciate your patience and cooperation. We will provide updates on the situation through our official channels.”
The exploit stemmed from a flaw in CrossCurveβs ReceiverAxelar contract, which failed to validate certain cross-chain messages. Attackers were able to bypass checks and trigger unauthorized transfers from the PortalV2 contract, draining funds that were never properly authenticated. On-chain data indicates the contractβs balance fell from roughly $3 million to near zero during the attack.
Response and Recovery Efforts
The founder of CrossCurve, Boris Povar, identified the addresses that received the stolen tokens and emphasized that there was no evidence of malicious intent from the recipients.
The protocol is urging cooperation in returning the funds and is offering a 10% bounty under its secureHarbor WhiteHat policy for any recovered tokens. A dedicated address has also been provided for anonymous returns.
“If the funds are not returned or no contact is established within 72 hours, we will have to assume there is malicious intent and treat this as a judicial matter,” the statement added.
CrossCurve further warned that failure to return funds could lead to criminal referrals, civil litigation, coordination with platforms to freeze assets, and public disclosure of transaction traces.
Implications for DeFi Bridges
This breach comes amid a spate of recent high-profile DeFi exploits, including a attack that affected Matcha Meta users and a .
Both incidents involved design flaws in smart contracts and vulnerabilities in cross-chain or oracle mechanisms, highlighting persistent systemic risks in decentralized finance. Together with the CrossCurve hack, they underscore how even protocols with multiple security layers can be exposed to sophisticated attacks if critical validation or verification steps fail.
Even well-secured protocols can face significant losses if a single smart contract fails to enforce proper checks. CrossCurve has advised users to halt interactions until the investigation concludes and promised ongoing updates through its official channels.
