CrossCurve Cross-Chain Bridge Hacked, Loss of $3 Million: Smart Contract Vulnerability Rings Alarm Again

Behind the convenience of cross-chain finance, security vulnerabilities are like time bombs, repeatedly detonated in similar ways, causing the entire industry to reflect.

On February 2, 2026, Beijing time, the cross-chain liquidity protocol CrossCurve (formerly EYWA), endorsed by Curve Finance founder Michael Egorov, officially confirmed that its cross-chain bridge protocol is under attack due to smart contract vulnerabilities. The attacker forged cross-chain messages, bypassed key gateway verification, and triggered unauthorized token unlocks, resulting in approximately $3 million stolen across multiple chains.

Event Overview: Why Did the Multi-Verification Architecture Fail?

Around January 31, 2026, blockchain security firm Defimon Alerts detected that the balance of CrossCurve’s core contract PortalV2 plummeted from about $3 million to nearly zero. CrossCurve quickly issued an emergency announcement on X platform: “Our bridging network is currently under attack. The attacker exploited a vulnerability in a smart contract. Please suspend all interactions with CrossCurve during the investigation.”

Ironically, CrossCurve had previously touted its “Consensus Bridge” multi-verification security architecture as a core selling point. This architecture integrated Axelar, LayerZero, and its own EYWA oracle network, aiming to eliminate single points of failure through multiple independent verification sources. The project team once claimed: “The probability of multiple cross-chain protocols being hacked simultaneously is almost zero.”

Vulnerability Analysis: A Fatal Verification Lapse

Security analysis revealed the technical essence of this attack. The root cause was a seemingly simple verification failure, yet it was enough to breach the entire complex multi-verification system.

Attack Path

The core of the attack occurred in CrossCurve’s ReceiverAxelar contract. This contract is responsible for receiving messages from the Axelar cross-chain network and executing corresponding instructions.

Under normal circumstances, any cross-chain message to be executed must undergo consensus verification from the Axelar network. However, the expressExecute function within this contract had a critical flaw. The attacker discovered they could directly call this function and pass in forged cross-chain message parameters, without sufficient validation of the message’s true source.

Attack Process

Once the forged instruction was accepted, the contract would send token unlock commands to the core PortalV2 contract responsible for asset custody.

Because PortalV2 fully trusted instructions from ReceiverAxelar, it would faithfully release various assets locked in the contract to the attacker-specified address. This process could be repeated until the main assets in the contract were looted.

Repeating History: An Unhealed Security Wound for Four Years

This incident evoked a strong déjà vu in the crypto security community. Security expert Taylor Monahan expressed shock: “I can’t believe four years have passed, and nothing has changed.” She referred to the Nomad cross-chain bridge attack in August 2022, which shocked the industry. At that time, Nomad was exploited due to a similar initialization verification vulnerability, resulting in about $190 million stolen. Even more astonishing was that, due to the simplicity of the exploit, it evolved into a “money-grabbing frenzy,” with over 300 addresses copying the attack method to steal funds.

From Nomad to CrossCurve, the attack methods are fundamentally similar: both stem from insufficient verification of the most basic security element—the cross-chain message source. These recurring tragedies sharply highlight that, despite rapid industry development, some fundamental smart contract security development norms and audit standards have not been effectively implemented.

Market Chain Reaction: Confidence Crisis and Price Fluctuations

The security incident quickly triggered a chain reaction in the market. The attacked CrossCurve had close ties with top DeFi protocol Curve Finance, whose founder’s investments once served as a significant credibility endorsement for the former.

After the incident, Curve Finance’s official statement on X advised users to “reassess their holdings and consider withdrawing these votes,” emphasizing caution when interacting with “third-party projects.” This cautious wording was widely interpreted as a swift move to distance itself to avoid damage to its reputation.

Mainstream Market Response

According to Gate.io data, as of February 2, 2026, Bitcoin (BTC) price changed by -2.51% in the past 24 hours, trading at $76,814.

Meanwhile, Ethereum (ETH) dropped by -7.42%, to $2,271.18. Although market volatility was driven by multiple factors, the significant security breach in core DeFi protocols undoubtedly heightened risk aversion among investors.

Industry Reflection: The Paradox of Cross-Chain Bridge Security

The CrossCurve incident once again brought the industry consensus that “cross-chain bridges are the most vulnerable link in the crypto world” to the forefront. Whether it’s the Ronin hack (loss of $625 million), Wormhole ($325 million), or this event, all confirm this judgment.

The security paradox of cross-chain bridges lies in the fact that, to enable assets to flow freely between different blockchains, they must establish trust and verification hubs across multiple independent and security-modelly diverse chains. Once this hub (smart contract) has a logical flaw, it becomes a single point of failure for the entire pool of funds. Even with multi-external verification like CrossCurve’s design, flaws in the contract implementation can render all external protections ineffective.

Latest Developments and User Responses

Faced with ongoing fund outflows and public pressure, the CrossCurve team took crisis response measures after the incident was exposed. According to their latest official statement, the project set a 72-hour deadline for fund restitution. They urged relevant address holders to cooperate in returning mistakenly transferred funds and, under their “Safe Harbor Disclosure Policy,” promised to reward white-hat hackers with up to 10% of the recovered funds.

If no resolution is reached within the specified time, the project team said they would escalate measures, including initiating legal proceedings and collaborating with exchanges, stablecoin issuers, and others to track and freeze related assets.

Bitcoin’s price dropped 2.51% within 24 hours after the incident, while Ethereum’s decline was even deeper at 7.42%. The market responded with cold numbers to the trust collapse triggered by code flaws.

The 72-hour “Safe Harbor” countdown set by the CrossCurve team is ticking. Blockchain explorers show that the stolen funds remain dormant in the attacker’s address, with no large-scale transfers yet. Whether this storm, triggered by a missing verification line, will end with a white-hat settlement or evolve into another long-lasting cross-border asset tug-of-war remains uncertain.