Crypto protocol CrossCurve has revealed that its cross-chain bridge was compromised, resulting in a loss of about $3 million across various blockchain networks. The attack has raised new security concerns about cross-chain infrastructure, which hackers have repeatedly targeted in the crypto industry. CrossCurve revealed the attack late Sunday in a post on X , stating that its bridge was “under attack” and that a vulnerability in its smart contracts had been exploited. The protocol warned users to immediately pause all interactions with CrossCurve while the team looks into what happened. The exploit affected several networks and demonstrated the impact that weaknesses can have on cross-chain systems. Details about the exploit were provided by Defimon Alerts, an X account belonging to a blockchain security firm, Decurity. The attacker compromised one of CrossCurve’s smart contracts and stole approximately $3 million, according to Defimon Alerts. The report also said CrossCurve’s contract did not properly verify cross-chain messages. This enabled any party to spoof , or fake, a genuine-looking message. Thus, the attacker was able to circumvent the traditional validation mechanism and unlock tokens without authorization. More specifically, Defimon Alerts mentioned that anyone can invoke a function called expressExecute in the ReceiverAxelar contract. This function exploited a phony cross-chain message and bypassed gateway checks by calling it and unlocking tokens on the PortalV2 contract. It trusted that message, and funds were released even after no transaction was made in the original chain. CrossCurve didn’t challenge any of that work, and is also investigating affected contracts. The protocol has not yet confirmed whether all users will receive compensation for their losses. In a po st on X , Curve advised users whose voting powers were granted to CrossCurve pools to review their positions and consider removing their votes. It also recommends that all investors stay on watch and make risk-informed decisions when interacting with third-party projects. CrossCurve offers a 10% bounty to recover stolen tokens In an attempt to recover the stolen funds , the CEO of CrossCurve, Boris Povar, publicly contacted the addresses suspected of receiving tokens through the exploit. Povar shared 10 blockchain addresses associated with the stolen assets and requested that the funds be returned, he said. The tokens were “wrongfully taken from users due to a smart contract exploit,” Povar said in his post. There was no clear evidence, he said, that the attack was intentional or malicious. Povar requested cooperation to return the funds and offered a bounty of up to 10% if the tokens were returned within 72 hours. Povar added that if no contact was made or the funds were not returned within that time frame, CrossCurve would consider the incident to be a criminal matter. The protocol was ready to coordinate with law enforcement, file civil lawsuits to recoup damages, and partner with other crypto ventures and authorities to freeze assets associated with the exploit, he said. Such bounty offers, also known as “white hat” rewards, have become common in the crypto industry. Attackers have returned funds in exchange for a bounty in some cases, while in others the funds have gone unrecovered. Cross-chain exploits continue to plague the crypto sector The CrossCurve incident is the latest in a long series of attacks targeting cross-chain bridges and decentralized finance protocols. Over the last few years , billions of dollars have evaporated to bridge exploits. Notable cases include the Ronin Bridge hack, which cost hundreds of millions of dollars, as well as attacks on Wormhole and Nomad platforms. A lot of this was due to message verification failures, just as in the CrossCurve case. Cross-chain bridges, as security analysts have long warned, are among the most egregious risks in crypto. Even tiny mistakes in validation logic can result in tokens being minted or unlocked and used without backing, leading to huge losses in a short period of time. The growing number of problems has forced regulators, investors, and coders to call for stronger security practices, including greater auditing, simpler designs, clearer audit trails, and monitoring tools. But, as CrossCurve’s experience shows, vulnerabilities still arise, and users are reminded that they remain at significant risk when engaging with decentralized protocols. Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.
