Cross-chain liquidity protocol CrossCurve has been targeted in a smart contract exploit, with attackers draining roughly $3 million across multiple networks.
- CrossCurve has confirmed a $3 million exploit involving spoofed cross-chain messages that bypassed bridge validation.
- The protocol has offered a 10% bounty for the return of funds.
CrossCurve confirmed the exploit via a Feb. 2 X post and has requested all users to “pause all interactions” with the protocol until the vulnerability has been patched.
In a follow-up post, the protocol said it had identified 10 addresses that had received tokens from the exploit and urged the attackers to return the funds in exchange for a reward.
“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” CrossCurve wrote.
CrossCurve announces bounty
The protocol has offered 10% of the stolen funds as a bounty, similar to what it offers under its SafeHarbor WhiteHat policy.
If the funds are not returned within 72 hours, the protocol has vowed to pursue legal options, including civil litigation to recover damages and coordinate with law enforcement and other projects to freeze the assets.
At the time of publication, CrossCurve has not released an official post-mortem report regarding the extent of losses and how many users may have been affected.
According to blockchain security account Defimon Alerts, total losses may be close to $3 million.
“Anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2,” Defimon said.
Arkham Intelligence data cited by Defimon showed the balance of the PortalV2 contract dropping to near zero around January 31.
CrossCurve, formerly known as EYWA Protocol, operates a cross-chain DEX and consensus bridge built in collaboration with Curve Finance. It uses a consensus mechanism that routes transactions through multiple independent validation protocols to reduce single points of failure.
“Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes. We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects,” the official Curve Finance X account posted after the incident was confirmed.
SagaEVM chain exploited just weeks before
The CrossCurve incident is the second major exploit in recent weeks, as it closely follows the SagaEVM chain smart contract breach, which resulted in the loss of approximately $7 million in bridged assets.
As previously reported by crypto.news, Saga had to pause the SagaEVM chain and work with bridge operators to blacklist the address and limit further movement of funds.
