TL;DR
- CrossCurve confirmed an exploit in its cross-chain bridge that allowed nearly $3 million to be drained across multiple networks and asked users to avoid all interactions.
- The attack exploited a validation flaw in cross-chain messages that triggered the release of funds in PortalV2 and nearly emptied the contract.
- The protocol identified ten addresses, offered a 10% bounty, set a 72-hour deadline, and managed to freeze the funds while coordinating blocks across multiple exchanges.
CrossCurve confirmed an exploit in its cross-chain bridge that enabled the drainage of nearly $3 million across multiple networks. The protocol issued a notice asking users to avoid all interaction with the platform while a security patch is applied.
How Did the Attack Work?
The attack originated from a validation flaw in one of the smart contracts responsible for handling cross-chain messages. Onchain security firms reported that a hacker was able to send spoofed messages that bypassed the bridge’s controls and triggered the release of funds from the PortalV2 contract. According to Arkham Intelligence data, the balance of that contract dropped to nearly zero.
⚠️ URGENT Security Notice
Dear users,
Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.
Please pause all interactions with CrossCurve while the investigation is ongoing.
We appreciate your patience and… pic.twitter.com/yfo1KvWoDd
— CrossCurve (@crosscurvefi) February 1, 2026
Defimon Alerts estimated total losses at around $3 million spread across several networks. BlockSec calculated an approximate impact of $2.76 million, with about $1.3 million on Ethereum and roughly $1.28 million on Arbitrum, in addition to funds on Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.
The protocol reported that it identified ten addresses that received the assets extracted during the exploit. In a public message, The protocol requested the return of the funds and offered a reward equal to 10% of the affected amount, under a framework aligned with its SafeHarbor WhiteHat policy. A 72-hour deadline was set to initiate negotiations or return the assets.
https://twitter.com/crosscurvefi/status/2018091623909835018
CrossCurve warned that if the funds are not returned within that period, it will proceed with legal action. The announced measures include civil litigation, criminal referrals, coordination with exchanges and issuers to freeze assets, public disclosure of wallet addresses and transactions, and cooperation with authorities and blockchain analytics firms.
CrossCurve Successfully Froze the Stolen Funds
The protocol, formerly known as EYWA, operates a cross-chain DEX and a consensus bridge developed in collaboration with Curve Finance. After the incident was confirmed, Curve Finance issued a notice to users with votes allocated to EYWA-related pools, recommending that they review their positions and consider removing those votes.
https://twitter.com/crosscurvefi/status/2018245440693477778
In a final statement, CrossCurve said it managed to contain the exploit by freezing the stolen funds. The team is now coordinating with multiple exchanges to block the assets as well, leaving the hacker without options to move the funds
