Analysis of the CrossCurve cross-chain bridge attack: $3 million loss and cross-chain security warnings

Event Overview

CrossCurve (formerly EYWA) cross-chain bridge suffered a serious security attack on February 1, 2026, resulting in a loss of approximately $3 million . Attackers bypassed the ReceiverAxelar contract verification mechanism by forging Axelar cross-chain messages, illegally unlocking funds from the PortalV2 contract. The incident exposed a critical vulnerability in the message verification layer of the cross-chain bridging protocol. The official team has initiated an emergency response and offered a 10% bounty for the return of funds, but the recovery efforts within 72 hours have been limited.

Event Timeline and Key Milestones

Attack Technique Analysis

Root cause of the vulnerability

The attack exploits a validation deficiency in the ReceiverAxelar contract . The specific attack vector is as follows:

• Attackers forged Axelar cross-chain messages to bypass gateway verification mechanisms.
• Directly calling the expressExecute function triggers the PortalV2 contract's illegal unlocking function.
• Utilizing the defects resulting from a diamond upgrade

Multi-chain impact

Although the primary attack occurred on the Ethereum mainnet (chain_id=1), according to Defimon Alerts monitoring, the attack affected multiple networks , including:

• Ethereum mainnet (primary battleground)
• This may involve other chains such as Polygon and BSC (to be further confirmed).

Attack transaction characteristics

Example of a key attack transaction:

• Transaction hash : 0x8441b84b686026db8f3357fcf17f3bbfd3889615fb7e5aa3dfb554752a0433d9
• Block height : 24,363,854
• Gas consumption : 618,071 (approximately 0.000238435 ETH)
• Method calls : unconventional function names such as yoink and run

Fund Flow and Loss Analysis

Attacker's wallet address

The 10 officially confirmed attacker addresses:

 0xAc8f44ceCa92b2a4b30360E5bd3043850a0FFcbE 0x8c259f1e53e79408095d0ba805554d4cdda15285 0x851c01d014b1ad2b1266ca48a4b5578b67194834 0x632400f42e96a5deb547a179ca46b02c22cd25cd 0xd46c81245a0582891c2249daf2d68925977cf2a7 0x80bf7db69556d9521c03461978b8fc731dbbd4e4 0x03d6df0d9af0d2cd871a8b8751e8115e4c3ec02c 0x1fce0648475eb4074661ffebf4879dc2756297c2 0x70ad9ef55aac635cfd0770b5cbe93e246501e41d 0x30524cffb3abb9109efc1280b7caa8b6fbb5cb7f Scale of loss 0xAc8f44ceCa92b2a4b30360E5bd3043850a0FFcbE 0x8c259f1e53e79408095d0ba805554d4cdda15285 0x851c01d014b1ad2b1266ca48a4b5578b67194834 0x632400f42e96a5deb547a179ca46b02c22cd25cd 0xd46c81245a0582891c2249daf2d68925977cf2a7 0x80bf7db69556d9521c03461978b8fc731dbbd4e4 0x03d6df0d9af0d2cd871a8b8751e8115e4c3ec02c 0x1fce0648475eb4074661ffebf4879dc2756297c2 0x70ad9ef55aac635cfd0770b5cbe93e246501e41d 0x30524cffb3abb9109efc1280b7caa8b6fbb5cb7f

Analysis based on on-chain transaction data:

• Total loss : ≈3 million USD (mainly EYWA tokens and other bridging assets)
• Number of transactions : 20+ outgoing transactions
• Transfer speed : Funds are dispersed in a very short time after the attack.

Current financial situation

The attack funds are currently being rapidly dispersed and laundered , with some funds transferred through multiple intermediate addresses, making tracing them difficult. The official return address is: 0x624E0Bd3114e333375f10883B0D7621547939cD5

Project Background and Impact Assessment

CrossCurve Project Overview

CrossCurve (formerly EYWA) is a cross-chain transaction and yield aggregation layer supported by Curve founder Michael Egorov. Built on the Curve AMM, it provides unified cross-chain liquidity, low-slippage swaps, and enhanced farming functionality.

Key metrics (before the attack):

• Daily trading volume : $200,000-$300,000 (data stable in January 2026)
• Funding history : It has raised approximately $7 million in funding.
• TVL data : Precise figures are currently unavailable, but the trading volume suggests a moderate size.

Business impact

1. Service interruption : The bridging service has been suspended, and users are unable to perform cross-chain transfers.
2. Token Price Impact : EYWA tokens may face selling pressure (continuous monitoring required).
3. User confidence : The security of cross-chain bridges is once again being questioned.

Official Response and Crisis Management

Emergency measures

1. Real-time announcements : Users will be promptly warned to suspend interaction via the official Twitter account.
2. Threat Response : Offer a 10% bounty (up to $300,000) to the attacker in exchange for a refund.
3. Legal preparation : It is clear that failure to return within 72 hours will trigger criminal referrals and civil proceedings.

Technical response

• Vulnerability analysis and remediation plan development in progress
• Enhanced Contract Audit Program
• Security monitoring upgrade

Safety Implications and Industry Impact

Inherent risks of cross-chain bridging protocols

This incident once again highlights the core security vulnerabilities of cross-chain bridging protocols:

1. Message verification vulnerability : Cross-chain message authenticity verification is a systemic weakness.
2. Contract Upgrade Risks : Diamond Upgrade Mode Introduces New Attack Surface
3. Multi-chain complexity : Cross-chain operations increase the difficulty of security auditing.

Historical comparison

Similarities to historical bridging attacks:

• The 2022 Nomad incident : Also caused by a verification vulnerability, resulting in a loss of $190 million, with hundreds of impersonators.
• Deficiencies in cross-chain standards : Lack of unified cross-chain security standards.

Industry warning

1. Audit Importance : More stringent audit standards for cross-chain contracts are needed.
2. Monitoring System : The Necessity of a Real-Time Abnormal Transaction Monitoring System
3. Insurance Mechanism : Cross-chain bridging requires more comprehensive insurance coverage.

Future Risks and Countermeasures

Short-term risks

1. Mimicry Attacks : Other cross-chain bridges may face similar attack threats.
2. Funds Recovery : The effectiveness of legal enforcement after the 72-hour bounty period is uncertain.
3. Project survival : A $3 million loss poses an existential threat to a medium-sized project.

Long-term recommendations

1. Security Standards : Establishing Best Practices for Cross-Chain Bridging Security
2. Multi-layer verification : Implementing multi-signature and multi-verification mechanisms.
3. Incremental Deployment : New contract upgrades adopt incremental rolling updates.
4. Community oversight : Establishing a white-hat hacker community oversight mechanism

in conclusion

The CrossCurve cross-chain bridge attack was a significant security incident in the DeFi field in early 2026, causing direct losses of approximately $3 million and exposing systemic vulnerabilities in the message verification layer of cross-chain infrastructure. While the official response and transparent communication during the incident handling process are commendable, recovering the funds faces significant challenges.

Key lessons learned : Cross-chain bridging protocols must prioritize security over efficiency, especially in critical areas such as message verification and contract upgrades, where a more conservative design approach is needed. As cross-chain interaction becomes standard in the blockchain ecosystem, the industry impact of such security incidents will become increasingly profound, requiring developers, auditing firms, and the community to collaborate in building a more robust cross-chain security system.

Monitoring Recommendations : Users and investors are advised to closely monitor the official recovery plan, progress in fund recovery, and the results of independent security audits, while carefully assessing the risk exposure of other similar cross-chain bridging projects.