CrossCurve Bridge Hacked for $3M After Smart Contract Validation Vulnerability Exploited

CrossCurve bridge, formerly known as EYWA, has suffered a major cyberattack after attackers exploited a vulnerability in its smart contract infrastructure, draining approximately $3 million across multiple blockchain networks.  

The CrossCurve team confirmed the incident on Sunday, stating that its bridge infrastructure was “currently under attack” and warning users to immediately stop interacting with the protocol.  

“Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. “Please pause all interactions with CrossCurve while the investigation is ongoing.” 

Spoofed Cross-Chain Messages Used to Bypass Validation Checks

Blockchain security account Defimon Alerts identified the root cause of the cyberattack as a gateway validation bypass within CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract lacked a critical validation check, allowing any user to call the expressExecute function with a spoofed cross-chain message. 

By exploiting this flaw, attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the protocol’s PortalV2 contract. As a result, funds were drained without proper authorization. The exploit impacted the CrossCurve bridge across multiple networks, highlighting the risks associated with cross-chain messaging systems. 

Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract’s balance dropped from roughly $3 million to nearly zero around January 31. Transaction data indicates that the exploit unfolded across several chains, rather than being confined to a single network. 

CrossCurve Cyberattack Revives Concerns Over Bridge Security

CrossCurve, previously branded as EYWA, operates a cross-chain decentralized exchange and liquidity protocol developed in partnership with Curve Finance. The protocol relies on what it calls a “Consensus Bridge,” which routes transactions through multiple independent validation mechanisms, including Axelar, LayerZero, and the EYWA Oracle Network. The design was intended to reduce reliance on any single system and minimize points of failure. 

In its documentation, CrossCurve had highlighted this architecture as a key security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” The recent cyberattack, however, demonstrated that a vulnerability in a single smart contract can still compromise the broader system, regardless of the number of validation layers involved. 

The project has prominent backing in the decentralized finance ecosystem. Curve Finance founder Michael Egorov became an investor in the protocol in September 2023, and CrossCurve later announced that it had raised $7 million from venture capital firms. 

Following the exploit, Curve Finance issued a warning to users with exposure to EYWA-related pools. “Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance wrote on X. “We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects.” 

Security researchers compared the CrossCurve bridge exploit to earlier incidents in the sector. The vulnerability bears similarities to the 2022 Nomad bridge hack, in which attackers drained approximately $190 million after discovering a flawed validation mechanism. That exploit escalated rapidly, with hundreds of wallet addresses copying the attack once it became public.