Cross- chain bridge protocols have once again become a cash cow for hackers. CrossCurve issued an urgent announcement on its X platform Sunday evening, confirming that its smart contracts had been attacked and approximately $3 million had been stolen across multiple blockchain networks. The protocol has requested all users to immediately suspend all interactions with CrossCurve and is conducting a full investigation.
Attack method: Forging cross-chain messages to bypass gateway verification
According to an analysis by Defimon Alerts, a blockchain security firm under Decurity, the core technique of this attack was to exploit a vulnerability in the CrossCurve ReceiverAxelar contract. The attackers bypassed the Axelar gateway's verification mechanism by forging cross-chain messages to call the expressExecute function, directly triggering the unlock operation on the PortalV2 contract.
In short, attackers don't need to actually complete the cross-chain transfer; they can simply use a forged message to mislead the contract into believing it has received a legitimate cross-chain request, thereby releasing locked funds. This is a typical security flaw in the message verification stage of a cross-chain bridge architecture—once the gate verification is bypassed, the entire fund security system becomes virtually non-existent.
The CEO issued a 72-hour ultimatum.
CrossCurve CEO Boris Povar responded quickly after the incident, publishing the names of 10 wallet addresses that received the stolen tokens and sending a clear message to the attackers: if the funds are returned within 72 hours, 10% will be retained as a bug bounty.
Povar means:
"These tokens were illegally taken from users due to a smart contract vulnerability."
He also warned that if the funds are not returned within the specified period, CrossCurve will treat the matter as a legal case, initiating legal proceedings, freezing assets, and fully cooperating with law enforcement agencies to investigate.
Curve Finance issued a warning advising users to withdraw their votes.
Curve Finance, as a partner, also immediately warned users, suggesting they review and consider withdrawing their votes for CrossCurve's liquidity pools. This means the impact of this event may not be limited to CrossCurve itself; the entire DeFi ecosystem integrated with it needs to reassess its risk exposure.
Cross-chain bridge security: DeFi's Achilles' heel
Cross-chain bridges have consistently been among the most vulnerable infrastructures in the DeFi space. From the $320 million theft from Wormhole in 2022 and the $625 million hack of Ronin Bridge to the recent CrossCurve incident, the security issues of cross-chain bridges have remained unresolved.
The core reason is that cross-chain bridges must transmit and verify messages between different blockchains, a process with a much larger attack surface than single-chain applications. This CrossCurve incident serves as a reminder to users: before using cross-chain services, always verify the protocol's security audit records and avoid storing large sums of money in cross-chain bridge contracts for extended periods.
