CrossCurve Bridge Exploit Drains About $3M, Rekindling Cross-Chain Risk

• CrossCurve said its bridge was “under attack” on Feb. 2 and told users to pause interactions.
• Defimon Alerts, linked to Decurity, estimated losses around $3 million across “several networks.”
• Early reporting and security posts described a spoofed cross-chain message that bypassed validation and triggered token unlocks on the destination chain.

Cross-chain liquidity protocol CrossCurve said its bridge was exploited on Feb. 2, with security monitors estimating roughly $3 million in losses across multiple networks.

The protocol urged users to pause interactions while it investigated.

Later, CEO Boris Povar published ten Ethereum addresses he said received funds and offered a bounty of up to 10% if the assets were returned within 72 hours, warning the project would pursue legal action if no contact was made.

Try Our Recommended Crypto Exchanges

Sponsored

Disclosure

We sometimes use affiliate links in our content, when clicking on those we might receive a commission at no extra cost to you. By using this website you agree to our terms and conditions and privacy policy.

Bitget

promotions

New user rewards up to 6,200 USDT.

Coins

88

Claim Offer

Bitunix

promotions

Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.

Coins

151

Claim Offer

BTCC

promotions

Get up to 10,055 USDT when you register, verify, and make the first deposit and the first trades.

Coins

162

Claim Offer

Explore All Offers

CrossCurve Attack Timeline

CrossCurve said on Feb. 2 that its bridge was “under attack,” involving exploitation of a vulnerability in one of the smart contracts used in its cross-chain system.

The exploit allowed an attacker to spoof a message to bypass validation and unlock tokens.

One quoted description said an attacker could call an “express” execution path on a receiver contract using a forged cross-chain message, then trigger an unlock on a portal contract.

CrossCurve has not published a full post-mortem or confirmed a final loss figure. Separate estimates clustered around $3 million.

In a follow-up post, Povar said the team identified ten Ethereum addresses tied to received funds and set a 72-hour window to return assets or make contact before escalation.

He said the project was prepared to pursue civil and criminal remedies and coordinate with industry partners to freeze assets.

CrossCurve did not immediately respond to a request for comment on the specific bug, the final loss amount, or a timeline for reopening.

A separate warning came from Curve Finance, which said users allocated to CrossCurve pools “may wish to review their positions” and consider removing votes, urging “risk-aware decisions” when interacting with third parties.

Why Spoofed Messages and Validation Assumptions Keep Winning

Bridge exploits often look like “just a smart contract bug.” The deeper pattern is verification failure.

A bridge is a promise: release assets on Chain B because something real happened on Chain A. The hard part is proving that “something real” without trusting an attacker’s message.

In general message passing, the destination contract is supposed to verify that a call was approved by the validator set by checking with the gateway (for example, via a validation function) before executing.

If a receiver contract accepts an alternate path that skips or weakens that check, a forged message can become a payout.

That’s why the “receiver side” matters as much as the messaging layer.

A protocol can route messages through reputable infrastructure and still lose funds if its own destination contract implements permissive logic, unsafe fast paths, or incorrect assumptions about upstream guarantees.

CrossCurve’s own documentation frames cross-chain risk as a “black swan” category and describes a design goal of routing through multiple independent validation protocols (“Consensus Bridge”) to reduce single points of failure.

But even multi-path designs can be undermined by a weak integration contract at the edge.

The Uncomfortable Truth: Bridge UX Wants Speed, Security Wants Paranoia

Users want bridging to feel instant: fewer clicks, less waiting, faster finality.

Security wants the opposite: more confirmations, tighter limits, and “do nothing unless you’re sure.”

Some cross-chain stacks explicitly offer speed features like “express” execution, where off-chain actors can accelerate delivery of an intended outcome.

The trade-off is that fast paths demand extra care in how authenticity is enforced, because the system is trying to move before the slowest proofs arrive.

This tension is why bridge hacks stay evergreen. Bridges concentrate liquidity, and a single verification bypass can unlock assets across multiple networks in one run.

What To Watch Next

CrossCurve has not yet released a full incident report. In most bridge incidents, the next signals that matter are:

• Whether contracts remain paused and what code changes ship before any restart.
• Whether the attacker returns funds, often in exchange for a bounty.
• Whether stablecoin issuers, exchanges, or analytics firms flag and freeze related addresses.
• Whether independent security teams publish a corroborated root-cause analysis.

For now, the takeaway is familiar and still useful: cross-chain bridges remain one of crypto’s most repeatable failure points, because “truth across chains” is a hard engineering problem with real money behind every assumption.

This is a developing story and will be updated.