CrossCurve hacked, $3 million evaporated! Fake messages breach multi-chain bridge

CrossCurve

CrossCurve’s cross-chain liquidity protocol confirmed on Sunday that it was attacked, with a smart contract verification vulnerability causing losses of approximately $3,000,000 across multiple chains. The attacker bypassed ReceiverAxelar contract verification by forging messages, similar to the 2022 Nomad hacker incident. The project was previously invested in by Curve Finance founder and raised $7,000,000.

CrossCurve Emergency Confirms Bridge Network Attack

CrossCurve issued an emergency announcement on X: “Our bridging network is currently under attack. The attacker exploited a vulnerability in a smart contract. During the investigation, please suspend all interactions with CrossCurve.” This brief statement confirmed community concerns but did not provide details of the attack or official data on the scale of the loss.

According to tracking data from Arkham Intelligence, the balance of CrossCurve’s PortalV2 contract plummeted from about $3,000,000 around January 31 to nearly zero. This complete depletion indicates the attacker successfully bypassed all security measures, transferring almost all assets in the contract. More concerning is that the vulnerability’s impact was not limited to a single blockchain but spanned multiple networks supported by CrossCurve, indicating a systemic security failure.

Positioned as a cross-chain decentralized exchange (DEX) and consensus bridge protocol, CrossCurve was built by the CrossCurve team in collaboration with Curve Finance. The platform employs a so-called “Consensus Bridge” mechanism, routing transactions through multiple independent verification protocols such as Axelar, LayerZero, and its own EYWA oracle network, aiming to reduce single point of failure risks. However, this attack demonstrated that even with a multi-verification architecture, a single critical vulnerability in one contract can cause the entire system to collapse.

The project previously emphasized its security architecture as a key differentiator, stating that “the probability of multiple cross-chain protocols being hacked simultaneously is almost zero.” Ironically, the attack was not against multiple protocols but directly bypassed CrossCurve’s own verification logic, rendering its multi-verification architecture ineffective.

Full Analysis of the Gateway Verification Bypass Attack Path

Blockchain security firm Defimon Alerts quickly released a technical analysis report revealing the attacker’s specific method. The core vulnerability was in CrossCurve’s ReceiverAxelar contract, responsible for receiving messages from the Axelar cross-chain network. Normally, these messages should undergo strict gateway verification to ensure only legitimate messages with Axelar network consensus are executed.

However, analysis showed that the expressExecute function in ReceiverAxelar contained a fatal flaw. Anyone could directly call this function and pass in forged cross-chain message parameters, as the contract did not sufficiently verify the message source. This omission allowed attackers to bypass the intended Axelar gateway verification process and inject malicious instructions directly into the contract.

Once a forged message is accepted by expressExecute, it triggers the token unlocking logic on the PortalV2 contract, which is the core asset custody contract of CrossCurve, responsible for locking and releasing cross-chain bridge tokens. Because this contract trusts commands from ReceiverAxelar, when a forged message indicates “user has locked tokens on the source chain, please release tokens on the target chain,” PortalV2 executes unconditionally, transferring tokens that should not be released to the attacker.

The attack process can be simplified as follows

· Attacker crafts a forged cross-chain message claiming to have deposited large assets on the source chain

· Calls ReceiverAxelar’s expressExecute function with the forged message

· Due to lack of verification, the contract accepts the forged message and triggers PortalV2’s unlock logic

· PortalV2 transfers tokens to the attacker’s specified address, completing the theft

This attack method is particularly frightening due to its repeatability. Once the vulnerability is known, attackers can repeatedly call expressExecute, forging different messages to extract various tokens until the PortalV2 contract is drained. Arkham Intelligence data shows that the attacker executed multiple transactions systematically draining all major assets from the contract.

Replaying the Nomad Tragedy: Four Years Later, Vulnerabilities Persist

This CrossCurve attack reminded security experts of the August 2022 Nomad bridge vulnerability. At that time, Nomad lost $190 million due to similar verification bypass issues. More alarmingly, over 300 wallet addresses participated in what was called a “collective looting,” because the vulnerability was so simple that anyone could copy the attack transaction and modify the recipient address to steal funds.

Security expert Taylor Monahan told The Block in an interview: “I can’t believe four years have passed and nothing has changed.” Her lament highlights a frustrating reality in the crypto industry: despite billions of dollars lost annually due to smart contract bugs, similar mistakes keep recurring.

The vulnerabilities in Nomad and CrossCurve are fundamentally similar, both stemming from insufficient verification of cross-chain message sources. In decentralized systems, verifying “who sent this message” is a basic security requirement, yet both projects failed in this regard. Nomad’s flaw was initializing the Merkle root to zero, allowing any message to pass verification; CrossCurve simply skipped the gateway verification step altogether.

More troubling is that CrossCurve previously promoted its multi-verification architecture as a security advantage. The project integrated Axelar, LayerZero, and EYWA triple verification mechanisms, which in theory should be more secure than single verification schemes. However, this attack proved that when implementation flaws exist, even the most complex architecture cannot guarantee safety. The key to security is not how many layers of verification there are, but whether each layer is correctly implemented.

Over the four years from Nomad to CrossCurve, the industry has experienced multiple bridge attacks, including Ronin’s $625 million theft, Wormhole’s $325 million loss, and others. The common lesson from these incidents is that cross-chain bridges are among the most vulnerable links in the blockchain ecosystem, as they must coordinate across different security models, and any lapse can lead to catastrophic consequences.

Curve Finance Endorsement and Investor Confidence Crisis

Previously, CrossCurve’s most notable endorsement came from Curve Finance founder Michael Egorov. In September 2023, Egorov became an investor in the protocol, a significant boost for the then-rebranded EYWA Protocol. As one of the most successful stablecoin trading protocols in DeFi, Curve’s founder support added substantial credibility to CrossCurve.

Subsequently, CrossCurve announced it had raised $7,000,000 from venture capital firms. Although not all investors were publicly disclosed, Egorov’s involvement undoubtedly attracted other institutional follow-ons. The funds were intended for protocol development, security audits, and ecosystem expansion. However, the $3,000,000 loss from this incident amounts to nearly 43% of its funding, severely impacting the project’s financial health.

Following the incident, Curve Finance quickly issued a statement on X, distancing itself from CrossCurve: “Users who have allocated votes to the Eywa-related liquidity pools may need to reconsider their holdings and consider revoking those votes. We continue to encourage all participants to remain vigilant when interacting with third-party projects and to make risk-aware decisions.”

The wording of this statement is noteworthy. Curve Finance did not directly condemn the attack nor express support for CrossCurve, but instead urged users to “reconsider holdings” and “revoke votes,” implying a loss of confidence in CrossCurve’s security. The phrase “third-party projects” further delineates responsibility boundaries, avoiding direct damage to Curve’s reputation.

For investors and users of CrossCurve, this incident is a painful lesson: even with high-profile endorsements, multi-million dollar funding, and claims of robust security architecture, project safety cannot be guaranteed. In the crypto world, code is law—no amount of publicity or promises can substitute for thoroughly tested smart contract security.