CrossCurve Bridge Suffers a $3M Exploit Via Spoofed Messages

TL;DR

• CrossCurve has confirmed its bridge is “currently under attack,” losing approximately $3 million so far.  

• The team has informed users to pause all interactions with CrossCurve while the investigation is ongoing.

CrossCurve Suffers a $3M Exploit

Cross-chain liquidity protocol CrossCurve announced on Sunday that its bridge infrastructure is currently under attack after a vulnerability in its smart contracts was exploited for approximately $3 million across multiple networks.

In its X post, CrossCurve urged its users to pause all interactions with CrossCurve while the investigation is ongoing.

⚠️ URGENT Security Notice

Dear users,

Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.

Please pause all interactions with CrossCurve while the investigation is ongoing.

We appreciate your patience and… pic.twitter.com/yfo1KvWoDd

— CrossCurve (@crosscurvefi) February 1, 2026

Blockchain security account Defimon Alerts identified the attack vector as a gateway validation bypass in CrossCurve's ReceiverAxelar contract. The security firm added that anyone could call the expressExecute function on the contract with a spoofed cross-chain message, bypassing the intended gateway validation and triggering unauthorized token unlocks on the protocol's PortalV2 contract.

Data obtained from Arkham Intelligence shows the PortalV2 contract's balance dropping from approximately $3 million to near zero around January 31, with the exploit appearing to span multiple networks.

CrossCurve, formerly known as EYWA Protocol, operates a cross-chain DEX and consensus bridge built in partnership with Curve Finance. It leverages the a "Consensus Bridge" mechanism to route transactions through multiple independent validation protocols, including Axelar, LayerZero, and its own EYWA Oracle Network, to reduce single points of failure.