Decentralised finance protocol CrossCurve has identified ten Ethereum wallet addresses involved in the exploit of its bridge infrastructure.
Unofficial estimates claim nearly $3 million worth of funds may have been drained.
The incident, which occurred on Sunday, involved a vulnerability in one of CrossCurve’s smart contracts that forms part of its cross-chain bridge infrastructure, which is designed to enable token transfers between different chains.
The breach has impacted several networks, and CrossCurve has urged users to avoid interacting with the protocol until the issue has been patched.
⚠️ URGENT Security Notice
Dear users,
Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.
Please pause all interactions with CrossCurve while the investigation is ongoing.
We appreciate your patience and
Notably, an attacker leveraged a smart contract vulnerability to bypass message validation and trigger unauthorised fund releases.
A formal post-mortem of the incident has also not yet been published.
Defimon Alerts, a blockchain security tracker operated by Decurity, speculated that the vulnerability may have stemmed from improper validation logic in CrossCurve’s ReceiverAxelar contract.
Their analysis suggests that the contract’s expressExecute function could be triggered with “spoofed” cross-chain messages, bypassing the gateway authentication process that typically ensures message legitimacy.
As a result of this vulnerability, the attackers were able to simulate valid cross-chain communication and unlock tokens from the protocol’s PortalV2 contract without proper verification and withdraw funds from the bridge contract across multiple networks without depositing corresponding assets on the source chain.
Initial estimates from blockchain security firms place the total loss at around $3 million.
Cybersecurity firm BlockSec pegged total losses at approximately $2.76 million, with roughly $1.3 million taken from Ethereum and $1.28 million from Arbitrum.
Smaller amounts were drained across a range of other chains, including Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.
At the time of writing, CrossCurve has not confirmed these external estimates or disclosed its own calculation of the affected funds.
CrossCurve offers 10% bounty
In a public statement, CrossCurve CEO Boris Povar said the team had traced the movement of stolen assets to ten specific Ethereum addresses.
He noted that the tokens were taken due to a smart contract flaw and appealed to the recipients to return the funds, stating that there was “no indication of malicious intent.”
“If the funds are not returned or no contact is established within 72 hours, we will have to assume malicious intent and treat this as a judicial matter,” Povar said.
The project will offer a 10% bounty if funds are returned within the given deadline, Povar added.
CrossCurve has previously marketed its multi-layered consensus bridge architecture as a safeguard against typical single points of failure in cross-chain systems.
Its validation stack includes integrations with networks such as Axelar and LayerZero alongside its proprietary EYWA Oracle Network.
In past documentation, the CrossCurve team has claimed that “the probability of several crosschain protocols getting hacked at the same time is near zero.”
The latest breach has also drawn comparisons to the 2022 Nomad Bridge exploit, which exposed similar vulnerabilities in validation logic.
At the time, a coding oversight in smart contract upgrades allowed users to copy and paste transactions to drain nearly $190 million in a free-for-all heist involving over 300 unique addresses.
The post CrossCurve identifies 10 wallets involved in the $3M bridge exploit appeared first on Invezz
