DeFi Protocol CrossCurve Smart Contract Exploited, Suffers $3M Loss Across Multiple Chains

Cross-chain bridge CrossCurve introduced Monday that it has suffered a serious assault, shedding $3 million throughout a number of networks.

The DeFi protocol famous {that a} vulnerability in its smart contracts had been exploited, elevating safety issues about cross-chain infrastructure.

“Our bridge is at present underneath assault,” it wrote on X, warning customers to droop all interactions with CrossCurve.

URGENT Security Notice

Dear customers,

Our bridge is at present underneath assault, involving the exploitation of a vulnerability in one of many good contracts used.

Please pause all interactions with CrossCurve whereas the investigation is ongoing.

We recognize your endurance and… pic.twitter.com/yfo1KvWoDd

— CrossCurve (@crosscurvefi) February 1, 2026

Smart Contract Flaw: Attackers Used Spoof Messages

Per CrossCurve publish, some consumer addresses obtained token funds as a result of good contract vulnerability that have been “wrongfully taken” from different customers.

“We don’t consider this was intentional in your half, and there’s no indication of malicious intent. We hope in your cooperation in returning the funds,” the platform wrote, figuring out a complete of 10 addresses.

According to blockchain safety account Defimon Alerts, a weak CrossCurve’s good contracts ReceiverAxelar, allowed anybody to spoof cross-chain message, bypassing the gateway validation. This has triggered unauthorized token unlocks on PortalV2 contract.

CrossCurve @crosscurvefi (ex https://t.co/4HJ33uOZUS) has been exploited for round 3 million on a number of networks.

Anyone might name expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2.… pic.twitter.com/EfYe3Tfo9v

— Defimon Alerts (@DefimonAlerts) February 1, 2026

Besides, Curve Finance wrote that customers who’ve allotted votes to the platform-related swimming pools “might want to assessment their positions and take into account eradicating these votes.”

The protocol is backed by Curve Finance founder Michael Egorov and raised $7 million from VCs in 2023.

CrossCurve Offers 10% White Hat Bounty, Sets 72-Hour Limit

Per the Safe Harbor Responsible Disclosure Policy, which particulars the steps to implement accountable reporting of safety vulnerabilities, if a white-hat hacker assists in fund restoration, a ten% bounty will likely be supplied.

“This makes you eligible to maintain as much as 10% if the rest is returned,” the undertaking group famous.

Besides, CrossCurve has set a 72-hour restrict for hackers to return the funds. If no efficient communication is established, the undertaking group will take speedy escalation.

This consists of formal felony and civil proceedings, collaborating with exchanges similar to Coinbase and Binance, stablecoin issuers, regulation enforcements and on-chain analytics corporations, together with Chainalysis, TRM Labs and Elliptic.

CrossCurve hack is much like Nomad’s $190 million bridge exploit in 2022, which noticed an estimated 8000 Solana wallets compromised.

“In phrases of prevention, an business set of ordinary good contract templates which can be identified to be safe, good contract auditing and safe software program growth lifecycles could be steps in the appropriate path,” Andrew Morfill, Chief Information Security Officer at Komainu, informed Cryptonews. “As the market matures, securely developed and up to date protocols with actual utility will present the credibility and safety assurance traders are on the lookout for.”

The publish DeFi Protocol CrossCurve Smart Contract Exploited, Suffers $3M Loss Across Multiple Chains appeared first on Cryptonews.