CrossCurve Bridge Exploit Drains $3 Million in Multi-Chain Cyberattack
CrossCurve, a cross-chain decentralized exchange and liquidity protocol formerly known as EYWA, suffered a major cyberattack on January 31 after attackers exploited a smart contract vulnerability, draining approximately $3 million across multiple blockchain networks.
The CrossCurve team confirmed the incident on Sunday, urging users to halt all interactions with the protocol while investigations continued. The attack stemmed from a flaw in the ReceiverAxelar contract, which lacked a critical validation check, allowing threat actors to bypass gateway security using spoofed cross-chain messages. By calling the expressExecute function with forged data, attackers triggered unauthorized token unlocks via the PortalV2 contract, siphoning funds without proper authorization.
Blockchain security firm Defimon Alerts identified the root cause, while Arkham Intelligence data revealed the PortalV2 contract’s balance plummeted from $3 million to near zero during the exploit. The attack spanned multiple chains, underscoring the risks of cross-chain messaging systems.
CrossCurve, developed in partnership with Curve Finance, had marketed its "Consensus Bridge" which routes transactions through Axelar, LayerZero, and the EYWA Oracle Network as a security advantage, claiming the redundancy minimized failure risks. However, the breach demonstrated that a single vulnerable smart contract could compromise the entire system, regardless of layered validation.
The protocol has significant backing in DeFi, including a $7 million venture capital raise and an investment from Curve Finance founder Michael Egorov in September 2023. Following the exploit, Curve Finance advised users with exposure to EYWA-related pools to review their positions.
Security researchers noted parallels to the 2022 Nomad bridge hack, where a flawed validation mechanism led to a $190 million exploit, later replicated by copycat attackers. The CrossCurve incident reignites concerns over bridge security in decentralized finance.
Source: https://thecyberexpress.com/crosscurve-bridge-3m-cyberattack/
Curve Finance cybersecurity rating report: https://www.rankiteo.com/company/curve-finance
CrossCurve cybersecurity rating report: https://www.rankiteo.com/company/crosscurvefi
"id": "CURCRO1770021757",
"linkid": "curve-finance, crosscurvefi",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'DeFi (Decentralized Finance)',
'name': 'CrossCurve (formerly EYWA)',
'type': 'Decentralized Exchange and Liquidity '
'Protocol'}],
'attack_vector': 'Spoofed cross-chain messages',
'customer_advisories': 'Users urged to halt all interactions with the '
'protocol.',
'date_detected': '2024-01-31',
'date_publicly_disclosed': '2024-01-31',
'description': 'CrossCurve, a cross-chain decentralized exchange and '
'liquidity protocol formerly known as EYWA, suffered a major '
'cyberattack on January 31 after attackers exploited a smart '
'contract vulnerability, draining approximately $3 million '
'across multiple blockchain networks. The attack stemmed from '
'a flaw in the ReceiverAxelar contract, which lacked a '
'critical validation check, allowing threat actors to bypass '
'gateway security using spoofed cross-chain messages. By '
'calling the expressExecute function with forged data, '
'attackers triggered unauthorized token unlocks via the '
'PortalV2 contract, siphoning funds without proper '
'authorization.',
'impact': {'brand_reputation_impact': 'Significant',
'financial_loss': '$3 million',
'operational_impact': 'Users urged to halt all interactions with '
'the protocol',
'systems_affected': 'Cross-chain decentralized exchange and '
'liquidity protocol'},
'initial_access_broker': {'entry_point': 'ReceiverAxelar contract'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The breach demonstrated that a single vulnerable smart '
'contract could compromise the entire system, regardless '
'of layered validation. Reinforces concerns over bridge '
'security in decentralized finance.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Flaw in the ReceiverAxelar '
'contract lacking a critical '
'validation check, allowing spoofed '
'cross-chain messages to bypass '
'gateway security.'},
'references': [{'source': 'Defimon Alerts'},
{'source': 'Arkham Intelligence'},
{'source': 'Curve Finance'}],
'response': {'communication_strategy': 'Public disclosure and advisories',
'containment_measures': 'Urged users to halt all interactions '
'with the protocol',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'Defimon Alerts, Arkham Intelligence'},
'stakeholder_advisories': 'Curve Finance advised users with exposure to '
'EYWA-related pools to review their positions.',
'title': 'CrossCurve Bridge Exploit Drains $3 Million in Multi-Chain '
'Cyberattack',
'type': 'Smart Contract Exploit',
'vulnerability_exploited': 'Lack of validation check in ReceiverAxelar '
'contract'}