CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit

In brief

• CrossCurve said Sunday an attacker exploited a flaw in its bridge contracts and identified 10 Ethereum addresses that received the funds.
• Its CEO, Boris Povar, said their team would pursue legal and enforcement action if the funds are not returned within 72 hours.
• Security firms estimate losses at roughly $3 million across multiple blockchains, though CrossCurve has yet to confirm that figure.

Decentralized finance protocol CrossCurve, formerly known as EYWA, says it has publicly identified ten Ethereum addresses linked to a hack of its token transfer system on Sunday. CrossCurve disclosed Sunday afternoon that an attacker exploited a flaw “involving the exploitation of a vulnerability in one of the smart contracts” used for its cross-chain bridge, a system that lets users move tokens between different blockchains. Hours later, CrossCurve CEO Boris Povar said the team had identified ten Ethereum addresses that received the funds in question. “These tokens were wrongfully taken from users due to a smart contract exploit,” Povar said. “We do not believe this was intentional on your part, and there is no indication of malicious intent.”

 Povar warned that if the funds are not returned or no contact is established within 72 hours, their team would “assume malicious intent and treat the matter as a judicial issue.” Failure to return the funds would trigger immediate escalation, including criminal referrals, civil litigation, coordination with exchanges and issuers to freeze assets, public disclosure of wallet and transaction data, and cooperation with law enforcement and blockchain analytics firms, Povar added. A smart contract is a program that runs on a blockchain and automatically executes transactions according to predefined rules.

Defimon Alerts, a social account run by blockchain security firm Decurity, provided an initial estimate that the exploit resulted in losses of around $3 million across “several networks,” adding that the flaw let an attacker send a fake cross-chain message on CrossCurve’s smart contract that bypassed checks and caused the bridge to release funds. Blockchain security firm BlockSec, meanwhile, estimated total losses at about $2.76 million, including roughly $1.3 million on Ethereum and about $1.28 million on Arbitrum, as well as several chains, including Optimism, Base, Mantle, Kava, Frax, Celo, and Blast. CrossCurve has not publicly confirmed the loss estimate cited by security firms, and has not shared its own figure for the funds affected. Decrypt has reached out to CrossCurve for comment. The exploit stemmed from a “lack of validation,” the team at BlockSec told Decrypt. “The cross‑chain messages that should have been validated were not verified, causing the destination‑chain contract to believe the message reflected a genuine transaction initiated on the source chain and to release the corresponding assets based on attacker‑forged payload data,” BlockSec said. The incident shows that “cross-chain security still leans too heavily on a single validation pathway,” BlockSec added. “If any alternate execution path bypasses that check, the entire trust model collapses.” “This exploit wasn’t a failure of Axelar’s core protocol; it was a receiver-side failure,” Dan Dadybayo, research and strategy lead at Unstoppable Wallet, told Decrypt. “CrossCurve’s custom ReceiverAxelar contract executed cross-chain messages without sufficiently authenticating them first.”   Dadybayo said this pattern has been seen before in cases like Nomad’s 2022 hack.

“The hard part of bridge security isn’t the messaging layer, it’s making sure nothing happens until authenticity is fully proven,” he added. “Custom receivers remain the weakest link. As long as bridges concentrate liquidity and rely on bespoke validation logic, they will continue to be the highest-risk surface in DeFi.”