The cross-chain liquidation protocol CrossCurve recently officially confirmed that its bridge system is under serious attack, after a vulnerability in its smart contract was exploited, causing an estimated $3 million in losses across multiple blockchain networks. CrossCurve announced this information on Sunday, urging users to immediately cease all interaction with the protocol while the project investigates and fixes the issue.
Chia to the CrossCurve team, the attacker exploited a vulnerability in a core smart contract of the bridge system, allowing for unauthorized operations related to Token Lockup unlocking. Blockchain security experts quickly investigated and pointed out that the vulnerability lay in the ReceiverAxelar contract, where the gateway authentication mechanism had been bypassed. Specifically, anyone could call the expressExecute function with a forged cross-chain message, thereby bypassing the initial security check and triggering unauthorized Token Lockup unlocking on CrossCurve's PortalV2 contract.
on-chain data shows that PortalV2's balance plummeted from around $3 million to almost zero by the end of January, indicating a rapid and widespread attack affecting multiple blockchains, not just a single network. This raises concerns that cross-chain bridges, despite being touted as having sophisticated security architectures, can still become critical vulnerabilities if even one link fails.
This incident has reminded the crypto community of the 2022 Nomad incident, when a similar vulnerability in the bridge led to a $190 million exploit. At that time, hundreds of wallet addresses simultaneously "tear apart" the protocol in a chaotic wave of withdrawals. Many security experts believe it is worrying that after years and numerous costly lessons, systemic vulnerabilities in cross-chain bridges continue to appear. Some industry insiders even express disappointment that old attack patterns seem to have not been thoroughly addressed.
CrossCurve, formerly known as EYWA Protocol, is a cross-chain DEX (Device Exchange) project incorporating a consensus bridge, built in collaboration with Curve Finance. CrossCurve's key feature lies in its "Consensus Bridge" mechanism, where transactions are routed through multiple independent validation layers such as Axelar, LayerZero, and EYWA's internal oracle network, minimizing risk from a single point of failure. Prior to the incident, the project emphasized that the probability of multiple cross-chain protocols being attacked simultaneously was extremely XEM , a key competitive advantage.
