CrossCurve Bridge Exploited for $3 Million Through Smart Contract Validation Flaw

The post CrossCurve Bridge Exploited for $3 Million Through Smart Contract Validation Flaw appeared on BitcoinEthereumNews.com.

TLDR: CrossCurve’s ReceiverAxelar contract lacked validation checks, enabling attackers to spoof messages.  The exploit drained approximately $3 million from PortalV2 across multiple blockchain networks.  Security experts compare the incident to Nomad’s 2022 bridge hack that lost $190 million in funds.  Curve Finance advised users to review positions in EYWA-related pools following the security breach.   CrossCurve, a cross-chain liquidity protocol formerly known as EYWA, confirmed a security breach on Sunday that drained approximately $3 million from its bridge infrastructure. The attack exploited a validation vulnerability in the protocol’s smart contracts, prompting the team to urge users to halt all platform interactions. The incident affects multiple blockchain networks and raises concerns about bridge security practices in decentralized finance. Missing Validation Check Enables Unauthorized Token Withdrawals The exploit targeted a critical weakness in CrossCurve’s ReceiverAxelar contract, according to blockchain security account Defimon Alerts. Attackers bypassed gateway validation by calling the expressExecute function with fabricated cross-chain messages. This manipulation triggered unauthorized token unlocks from the protocol’s PortalV2 contract without proper verification. Data from Arkham Intelligence revealed the PortalV2 contract’s balance collapsed from roughly $3 million to nearly zero on January 31. The attack spread across multiple networks connected to CrossCurve’s bridge infrastructure. Security expert Taylor Monahan drew comparisons to Nomad’s $190 million bridge hack in 2022, which saw over 300 wallets drain funds simultaneously. “I cannot believe nothing has changed in four years,” Monahan stated when analyzing the exploit’s similarities to previous bridge vulnerabilities. The ReceiverAxelar contract lacked essential validation checks that should have prevented spoofed messages from executing token transfers. This fundamental oversight allowed attackers to manipulate the system and extract funds systematically. CrossCurve issued an urgent notice on X acknowledging the ongoing attack. “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ February 1, 2026 10:27 pm