CrossCurve Bridge Drained in US$3M Smart Contract Exploit Across Multiple Chains

CrossCurve confirmed an active bridge exploit enabling roughly US$3 million in unauthorised token unlocks.
A validation bypass allowed spoofed cross-chain messages to drain funds from the PortalV2 contract.
The incident drew comparisons to the Nomad hack and prompted warnings from Curve Finance.

Cross-chain liquidity protocol CrossCurve has confirmed its bridge infrastructure is under active attack following the exploitation of a smart contract vulnerability that enabled unauthorised token unlocks worth approximately US$3 million (AU$4.32 million).CrossCurve disclosed the incident on Sunday, warning users to immediately halt all interactions with the platform while investigations continue.

⚠️ URGENT Security Notice
Dear users,
Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.
Please pause all interactions with CrossCurve while the investigation is ongoing.
We appreciate your patience and… pic.twitter.com/yfo1KvWoDd
— CrossCurve (@crosscurvefi) February 1, 2026

Blockchain security firm-linked account Defimon Alerts attributed the exploit to a validation flaw within CrossCurve’s ReceiverAxelar contract. The vulnerability allowed attackers to submit fabricated cross-chain messages via the expressExecute function, bypassing gateway checks designed to authenticate transactions. This bypass triggered unauthorised token releases from the protocol’s PortalV2 contract without proper verification.

On-chain data shared by Defimon Alerts shows the PortalV2 contract balance falling from roughly US$3 million (AU$4.32 million) to nearly zero on 31 January. The exploit appears to have affected multiple blockchain networks connected to CrossCurve’s bridge infrastructure.

Related: Crypto Sell-Off Deepens as Bitcoin Briefly Dips Below $84K

Concerns Over Longstanding Bridge Weaknesses

The attack has drawn comparisons to the 2022 Nomad bridge incident, where flawed validation logic enabled widespread fund withdrawals. Security researcher Taylor Monahan noted that the same category of weakness continues to resurface in cross-chain systems.

CrossCurve, formerly known as EYWA Protocol, operates a cross-chain decentralised exchange and consensus bridge developed in partnership with Curve Finance. The protocol routes transactions through several independent validation layers, including Axelar, LayerZero and the EYWA Oracle Network, in an effort to reduce single points of failure.

Despite these safeguards, Curve Finance advised users with exposure to EYWA-related pools to reassess their positions and consider removing votes. The platform reiterated the importance of exercising caution when interacting with third-party protocols.

Related: SEC Chair Walks Back Timeline on Sweeping Crypto Exemptions After Wall Street Pushback

Credit: Source link