- CrossCurve said its bridge was “under attack” on Feb. 2 and told users to pause interactions.
- Defimon Alerts, linked to Decurity, estimated losses around $3 million across “several networks.”
- Early reporting and security posts described a spoofed cross-chain message that bypassed validation and triggered token unlocks on the destination chain.
Cross-chain liquidity protocol CrossCurve said its bridge was exploited on Feb. 2, with security monitors estimating roughly $3 million in losses across multiple networks.
The protocol urged users to pause interactions while it investigated.
Later, CEO Boris Povar published ten Ethereum addresses he said received funds and offered a bounty of up to 10% if the assets were returned within 72 hours, warning the project would pursue legal action if no contact was made.
Bitget
-
Bitcoin
-
Ethereum
-
Tether
-
Litecoin
-
Bitcoin Cash
-
TRON
-
Ripple
-
Cardano
-
Binance USD
-
USD Coin
-
Polkadot
-
Shiba Inu
-
Basic Attention Token
-
Qtum
-
Ethereum Classic
-
Chainlink
-
Solana
-
Polygon Matic
-
Cosmos
-
Wrapped Bitcoin
-
PancakeSwap
-
The Sandbox
-
Storj
-
iExec RLC
-
Bancor
-
Uniswap
-
Enjin Coin
-
1inch Network
-
Chiliz
-
Aave
-
Synthetix
-
Maker
-
Compound
-
Theta Network
-
Celo
-
Curve DAO Token
-
Decentraland
-
JUST
-
Axie Infinity
-
Gala
-
Internet Computer
-
The Graph
-
Filecoin
-
dYdX
-
Mask Network
-
Lido DAO Token
-
Reserve Rights
-
Chromia
-
Ankr
-
Ocean Protocol
-
Adventure Gold
-
Origin Protocol
-
Celer Network
-
NKN
-
Bitget Token
-
Alchemix
-
Immutable
-
Ethereum Name Service
-
Avalanche
-
Zilliqa
-
JasmyCoin
-
Toncoin
-
Convex Finance
-
Spell Token
-
Holo
-
Render Token
-
SushiSwap
-
MetisDAO
-
Audius
-
Illuvium
-
ARPA Chain
-
Osmosis
-
Fantom
-
Neo
-
Arweave
-
Algorand
-
Kusama
-
XDC Network
-
APEcoin
-
MultiversX
-
THORChain
-
NEAR Protocol
-
Nexo
-
Amp
-
Livepeer
-
PAX Gold
-
TrueUSD
-
BitTorrent
-
Golem
-
FLUX
-
Helium
-
Dai
-
Build'N'Build
Bitunix
-
Bitcoin
-
Ethereum
-
Tether
-
USD Coin
-
Solana
-
Ripple
-
Dogecoin
-
Cardano
-
Toncoin
-
Shiba Inu
-
Avalanche
-
TRON
-
Chainlink
-
Polygon Matic
-
Polkadot
-
Wrapped Bitcoin
-
Litecoin
-
Dai
-
NEAR Protocol
-
Bitcoin Cash
-
Stellar
-
Cosmos
-
Filecoin
-
Ethereum Classic
-
Aptos
-
Hedera Hashgraph
-
Immutable
-
Optimism
-
Arbitrum
-
VeChain
-
The Sandbox
-
Decentraland
-
Axie Infinity
-
Injective Protocol
-
Render
-
The Graph
-
Maker
-
Aave
-
Chiliz
-
Helium
-
PAX Gold
-
Compound
-
Lido DAO Token
-
Sui
-
Conflux Network
-
Lido Staked ETH
-
OKB
-
Uniswap
-
Pepe
-
Ondo
-
Mantle
-
First Digital USD
-
XDC Network
-
Artificial Superintelligence Alliance
-
Jupiter
-
Quant
-
Worldcoin
-
Bonk
-
Tether Gold
-
JITO
-
JasmyCoin
-
Core
-
Floki Inu
-
Ethereum Name Service
-
SushiSwap
-
1inch Network
-
Tezos
-
Algorand
-
Flow
-
Trust Wallet Token
-
Curve DAO Token
-
MultiversX
-
Basic Attention Token
-
Enjin Coin
-
Ethena
-
Ethena Staked USDe
-
Audius
-
Alchemy Pay
-
Arkham
-
API3
-
Bounce Token
-
Altlayer
-
Aergo
-
Amp
-
Aevo
-
Ankr
-
Axelar
-
Alpaca Finance
-
Blur
-
Biconomy
-
Tranchess
-
Celer Network
-
Shentu
-
Civic
-
Convex Finance
-
Cartesi
-
Cyber
-
COTI
-
DIA
-
dYdX
-
ether.fi
-
FLUX
-
Ampleforth
-
Golem
-
Holo
-
Illuvium
-
JUST
-
Livepeer
-
Memecoin
-
Manta Network
-
Treasure
-
Mask Network
-
Origin Protocol
-
ORDI
-
Ontology
-
Phala Network
-
Pendle
-
Portal
-
Pyth Network
-
ConstitutionDAO
-
iExec RLC
-
Reserve Rights
-
Ravencoin
-
Storj
-
Status
-
Spell Token
-
Sun (New)
-
SuperVerse
-
Tellor
-
LayerZero
-
Scroll
-
Usual
-
Eigenlayer
-
Hamster Kombat
-
Catizen
-
Berachain
-
KAITO
-
Pudgy Penguins
-
Solayer
-
Bio Protocol
-
ChainGPT
-
Cookie DAO
-
Solv Protocol
-
Movement
-
DeXe
-
Nexo
-
Hyperliquid
-
STEPN
-
Synthetix
-
Neo
-
APEcoin
-
Gala
-
Internet Computer
-
Pi Network
-
IoTex
-
Build'N'Build
BTCC
-
Ethereum
-
Tether
-
USD Coin
-
Solana
-
Ripple
-
Dogecoin
-
Cardano
-
Toncoin
-
Shiba Inu
-
Avalanche
-
TRON
-
Chainlink
-
Polygon Matic
-
Polkadot
-
Litecoin
-
NEAR Protocol
-
Bitcoin Cash
-
Stellar
-
Cosmos
-
Filecoin
-
Ethereum Classic
-
Aptos
-
Immutable
-
Optimism
-
Arbitrum
-
VeChain
-
The Sandbox
-
Decentraland
-
Axie Infinity
-
Injective Protocol
-
The Graph
-
Hedera Hashgraph
-
Render Token
-
Aave
-
Chiliz
-
PAX Gold
-
Compound
-
Lido DAO Token
-
THORChain
-
Stacks
-
Arweave
-
Sui
-
Conflux Network
-
Uniswap
-
Pepe
-
Ondo
-
Mantle
-
First Digital USD
-
Bittensor
-
Kaspa
-
Celestia
-
Artificial Superintelligence Alliance
-
Jupiter
-
Quant
-
Worldcoin
-
PayPal USD
-
Bonk
-
Rocket Pool ETH
-
Tether Gold
-
Sei
-
JITO
-
JasmyCoin
-
PancakeSwap
-
Floki Inu
-
Ethereum Name Service
-
SushiSwap
-
1inch Network
-
Algorand
-
Flow
-
Trust Wallet Token
-
Curve DAO Token
-
Basic Attention Token
-
Enjin Coin
-
Ethena
-
Ethena USDe
-
Pi Network
-
Adventure Gold
-
Audius
-
Acala Token
-
Alchemy Pay
-
Arkham
-
API3
-
Bounce Token
-
Altlayer
-
Amp
-
Aevo
-
ARPA Chain
-
Ankr
-
Blur
-
Biconomy
-
Chromia
-
Celer Network
-
Celo
-
Civic
-
Convex Finance
-
Cartesi
-
COTI
-
DigiByte
-
DIA
-
Dymension
-
dYdX
-
ether.fi
-
FUNToken
-
FLUX
-
Ampleforth
-
Golem
-
GMX
-
Holo
-
IoTex
-
Illuvium
-
JUST
-
Liquity
-
Livepeer
-
Memecoin
-
Manta Network
-
Treasure
-
Mask Network
-
NKN
-
Neutron
-
Ocean Protocol
-
Origin Protocol
-
ORDI
-
Osmosis
-
Powerledger
-
Phala Network
-
Pendle
-
Portal
-
Pyth Network
-
ConstitutionDAO
-
iExec RLC
-
Rocket Pool
-
Reserve Rights
-
Storj
-
Starknet
-
Spell Token
-
Sun (New)
-
Saga
-
SuperVerse
-
Toko Token
-
Tellor
-
LayerZero
-
Usual
-
Cetus Protocol
-
Eigenlayer
-
Hamster Kombat
- Neiro - First Neiro on Ethereum
-
Catizen
-
Berachain
-
KAITO
-
Pudgy Penguins
-
Solayer
-
Alchemix
-
Bitcoin
-
Bitcoin SV
-
Movement
-
Nexo
-
Hyperliquid
-
Nervos Network
-
TrueUSD
-
Mina
-
STEPN
-
Synthetix
-
APEcoin
-
Gala
-
Cronos
-
Internet Computer
-
Build'N'Build
CrossCurve Attack Timeline
CrossCurve said on Feb. 2 that its bridge was “under attack,” involving exploitation of a vulnerability in one of the smart contracts used in its cross-chain system.
The exploit allowed an attacker to spoof a message to bypass validation and unlock tokens.
One quoted description said an attacker could call an “express” execution path on a receiver contract using a forged cross-chain message, then trigger an unlock on a portal contract.
CrossCurve has not published a full post-mortem or confirmed a final loss figure. Separate estimates clustered around $3 million.
In a follow-up post, Povar said the team identified ten Ethereum addresses tied to received funds and set a 72-hour window to return assets or make contact before escalation.
He said the project was prepared to pursue civil and criminal remedies and coordinate with industry partners to freeze assets.
CrossCurve did not immediately respond to a request for comment on the specific bug, the final loss amount, or a timeline for reopening.
A separate warning came from Curve Finance, which said users allocated to CrossCurve pools “may wish to review their positions” and consider removing votes, urging “risk-aware decisions” when interacting with third parties.
Why Spoofed Messages and Validation Assumptions Keep Winning
Bridge exploits often look like “just a smart contract bug.” The deeper pattern is verification failure.
A bridge is a promise: release assets on Chain B because something real happened on Chain A. The hard part is proving that “something real” without trusting an attacker’s message.
In general message passing, the destination contract is supposed to verify that a call was approved by the validator set by checking with the gateway (for example, via a validation function) before executing.
If a receiver contract accepts an alternate path that skips or weakens that check, a forged message can become a payout.
That’s why the “receiver side” matters as much as the messaging layer.
A protocol can route messages through reputable infrastructure and still lose funds if its own destination contract implements permissive logic, unsafe fast paths, or incorrect assumptions about upstream guarantees.
CrossCurve’s own documentation frames cross-chain risk as a “black swan” category and describes a design goal of routing through multiple independent validation protocols (“Consensus Bridge”) to reduce single points of failure.
But even multi-path designs can be undermined by a weak integration contract at the edge.
The Uncomfortable Truth: Bridge UX Wants Speed, Security Wants Paranoia
Users want bridging to feel instant: fewer clicks, less waiting, faster finality.
Security wants the opposite: more confirmations, tighter limits, and “do nothing unless you’re sure.”
Some cross-chain stacks explicitly offer speed features like “express” execution, where off-chain actors can accelerate delivery of an intended outcome.
The trade-off is that fast paths demand extra care in how authenticity is enforced, because the system is trying to move before the slowest proofs arrive.
This tension is why bridge hacks stay evergreen. Bridges concentrate liquidity, and a single verification bypass can unlock assets across multiple networks in one run.
What To Watch Next
CrossCurve has not yet released a full incident report. In most bridge incidents, the next signals that matter are:
- Whether contracts remain paused and what code changes ship before any restart.
- Whether the attacker returns funds, often in exchange for a bounty.
- Whether stablecoin issuers, exchanges, or analytics firms flag and freeze related addresses.
- Whether independent security teams publish a corroborated root-cause analysis.
For now, the takeaway is familiar and still useful: cross-chain bridges remain one of crypto’s most repeatable failure points, because “truth across chains” is a hard engineering problem with real money behind every assumption.
This is a developing story and will be updated.
-
Safest Exchanges Best Safest (Most Secure) Crypto Exchanges? Check Out These Exchanges
-
Secure Crypto Wallets Crypto Wallets Reviews and Ranked
-
Bet Anonymously Check Out Our Recommended No KYC Casinos
