CrossCurve, a cross-chain bridge and DeFi protocol, said Monday it suffered an attack that drained about $3 million across multiple networks and urged users to pause all interactions while an investigation runs. In an urgent notice on X, the team said its bridge was “currently under attack” after a vulnerability in a smart contract was exploited. The incident forces a rapid shift from growth to incident response, with user protection taking priority over every other roadmap item.
CrossCurve said some user addresses received token funds that were “wrongfully taken” from other users, and it identified a total of 10 addresses. The team said it does not believe recipients acted intentionally and asked for cooperation in returning the funds. The disclosure underlines how a single contract flaw can create multi-network exposure when cross-chain systems are involved. For users, the pause notice is a reminder that speed can outrun safety in plumbing.
Exploit mechanics widen the blast radius beyond one protocol
Security researchers described the issue as a message-validation failure. According to the Defimon Alerts account, a CrossCurve contract called ReceiverAxelar let anyone call expressExecute with a spoofed cross-chain message, bypassing gateway validation and triggering unauthorized token unlocks on a PortalV2 contract. In practical terms, the exploit turned cross-chain messaging into an attack surface and converted trusted routes into open doors. The same thread estimated the exploit at around $3 million and said it affected several networks.
CrossCurve’s incident also drew a response from Curve Finance, which said users who allocated votes to pools related to the protocol may want to review their positions and consider removing those votes. That governance nudge highlights how security events can cascade into incentives, liquidity, and reputational risk across an ecosystem. The report notes the protocol is backed by Michael Egorov and raised $7 million from venture capital firms in 2023 earlier.
Recovery terms set a tight clock for returning funds
CrossCurve cited its Safe Harbor Responsible Disclosure Policy and offered a 10% white-hat bounty to recover funds. The pitch is straightforward: return the remainder and keep up to 10% as a bounty. It set a 72-hour window for hackers to make effective contact, warning that silence would trigger immediate escalation. That escalation includes formal criminal and civil proceedings and coordination with exchanges such as Coinbase and Binance, stablecoin issuers, law enforcement, and on-chain analytics firms including Chainalysis, TRM Labs, and Elliptic.
The report compares the incident to Nomad’s $190 million bridge exploit in 2022, which it says compromised about 8,000 Solana wallets. Andrew Morfill of Komainu said prevention should lean on secure standard contract templates, audits, and secure software development lifecycles. He added that mature markets reward protocols that are securely developed, updated, and built with real utility. Teams should act fast and document everything now.