ChainCatcher reports that, according to The Block, the cross-chain liquidity protocol CrossCurve (formerly EYWA) has confirmed that its cross-chain bridge protocol is "under attack" due to a vulnerability in its smart contract being exploited, resulting in the theft of approximately $3 million across multiple networks. Blockchain security firm Defimon Alerts discovered that the attack exploited a gateway verification bypass vulnerability in CrossCurve's ReceiverAxelar contract.
Analysis shows that anyone can use forged cross-chain messages to invoke the contract's expressExecute function, thereby bypassing expected gateway verification and triggering unauthorized token unlocking on the PortalV2 protocol contract. The protocol is backed by Curve Finance founder Michael Egorov and has previously raised $7 million.
