CrossCurve loses $3M in cross-chain bridge attack

Key points:

• CrossCurve has confirmed a hack of its cross-chain bridge that resulted in losses of approximately $3 million across several blockchain networks.
• The attack was caused by a smart contract vulnerability that allowed attackers to forge cross-chain messages and unlock tokens.
• The project has offered hackers a 10% bounty for returning the funds and set a 72-hour window for cooperation.

The CrossCurve cross-chain bridge has reported a serious attack on its protocol. As a result of the incident, users lost around $3 million, with funds drained across multiple blockchain networks.

Source: X.com

The project team said the breach was caused by a vulnerability in its smart contracts. CrossCurve quickly warned users on X and urged them to immediately stop all interactions with the protocol while the issue is being investigated.

How the Attack Happened

According to CrossCurve, a flaw in one of its smart contracts allowed a number of addresses to receive tokens that were effectively taken from other users. The team stressed that it does not believe these addresses acted with malicious intent and asked them to voluntarily return the funds. In total, ten such addresses were identified.

Blockchain security analysts at Defimon Alerts reported that the vulnerability was located in the ReceiverAxelar contract. The flaw made it possible to forge cross-chain messages and bypass gateway verification, allowing unauthorized token unlocks in the PortalV2 contract.

Hacker Bounty and Possible Escalation

CrossCurve has offered so-called white-hat hackers a bounty of 10% of the recovered funds under its Safe Harbor policy, which governs responsible vulnerability disclosure. The remaining assets must be returned to the protocol.

The project has set a 72-hour deadline to begin cooperation. If no agreement is reached and the funds are not returned within that timeframe, the team said it will move forward with stronger measures.

Ribbon Finance hack: hackers stole $2,7 million through an oracle vulnerability

The incident once again showed that price manipulation remains a serious threat to DeFi.

Читать дальше

What this includes: Cooperation with law enforcement agencies, crypto exchanges such as Coinbase and Binance, stablecoin issuers, and blockchain analytics firms including Chainalysis, TRM Labs, and Elliptic.

AI-driven scams went “industrial” in 2025

A new report shows a sharp rise in AI-powered scams and their transformation into a systemic tool of crypto crime

Читать дальше

Expert Commentary: Commenting on the incident, Komainu Chief Information Security Officer Andrew Morfill said the industry still lacks standardized, battle-tested smart contract templates and strict development processes. According to him, only secure, regularly updated protocols with real utility will be able to restore investor confidence in the DeFi sector.