Meet the Top 101 in Crypto
News
5 min read

CrossCurve Bridge Exploit Drains About $3M, Rekindling Cross-Chain Risk

Published 02 February 2026
Alex Shilina
Authors
Edited by Insha Zia
Key Takeaways
  • CrossCurve said its bridge was “under attack” on Feb. 2 and told users to pause interactions.
  • Defimon Alerts, linked to Decurity, estimated losses around $3 million across “several networks.”
  • Early reporting and security posts described a spoofed cross-chain message that bypassed validation and triggered token unlocks on the destination chain.

Cross-chain liquidity protocol CrossCurve said its bridge was exploited on Feb. 2, with security monitors estimating roughly $3 million in losses across multiple networks.

The protocol urged users to pause interactions while it investigated.

Later, CEO Boris Povar published 10 Ethereum addresses he said received funds and offered a bounty of up to 10% if the assets were returned within 72 hours, warning that the project would pursue legal action if no contact was made.

Try Our Recommended Crypto Exchanges
Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

CrossCurve Attack Timeline

CrossCurve said on Feb. 2 that its bridge was “under attack,” due to the exploitation of a vulnerability in one of the smart contracts used in its cross-chain system.

The exploit allowed an attacker to spoof a message to bypass validation and unlock tokens.

One quoted description said an attacker could call an “express” execution path on a receiver contract using a forged cross-chain message, then trigger an unlock on a portal contract.

CrossCurve has not published a full post-mortem or confirmed a final loss figure. Separate estimates clustered around $3 million.

In a follow-up post, Povar said the team identified 10 Ethereum addresses associated with received funds and set a 72-hour window to return the assets or make contact before escalation.

He said the project was prepared to pursue civil and criminal remedies and coordinate with industry partners to freeze assets.

CrossCurve did not immediately respond to a request for comment on the specific bug, the final loss amount, or a timeline for reopening.

A separate warning came from Curve Finance, which said users allocated to CrossCurve pools “may wish to review their positions” and consider removing votes, urging “risk-aware decisions” when interacting with third parties.

Why Spoofed Messages and Validation Assumptions Keep Winning

Bridge exploits often look like “just a smart contract bug.” The deeper pattern is verification failure.

A bridge is a promise: release assets on Chain B because something real happened on Chain A. The hard part is proving that “something real” without trusting an attacker’s message.

In general message passing, the destination contract is supposed to verify that a call was approved by the validator set by checking with the gateway (for example, via a validation function) before executing.

If a receiver contract accepts an alternate path that skips or weakens that check, a forged message can become a payout.

That’s why the “receiver side” matters as much as the messaging layer.

A protocol can route messages through reputable infrastructure and still lose funds if its own destination contract implements permissive logic, unsafe fast paths, or incorrect assumptions about upstream guarantees.

CrossCurve’s own documentation frames cross-chain risk as a “black swan” category and describes a design goal of routing through multiple independent validation protocols (“Consensus Bridge”) to reduce single points of failure.

But even multi-path designs can be undermined by a weak integration contract at the edge.

The Uncomfortable Truth: Bridge UX Wants Speed, Security Wants Paranoia

Users want bridging to feel instant: fewer clicks, less waiting, faster finality.

Security wants the opposite: more confirmations, tighter limits, and “do nothing unless you’re sure.”

Some cross-chain stacks explicitly offer speed features like “express” execution, where off-chain actors can accelerate delivery of an intended outcome.

The trade-off is that fast paths demand extra care in how authenticity is enforced, because the system is trying to move before the slowest proofs arrive.

This tension is why bridge hacks stay evergreen. Bridges concentrate liquidity, and a single verification bypass can unlock assets across multiple networks in one run.

What To Watch Next

CrossCurve has not yet released a full incident report. In most bridge incidents, the next signals that matter are:

  • Whether contracts remain paused and what code changes ship before any restart.
  • Whether the attacker returns funds, often in exchange for a bounty.
  • Whether stablecoin issuers, exchanges, or analytics firms flag and freeze related addresses.
  • Whether independent security teams publish a corroborated root-cause analysis.

For now, the takeaway is familiar and still useful: cross-chain bridges remain one of crypto’s most repeatable failure points, because “truth across chains” is a hard engineering problem with real money behind every assumption.

This is a developing story and will be updated.

Alex Shilina

PhD, researcher and writer exploring AI, blockchain, and the philosophy of tech, with a focus on DeScAI, governance, and trust.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status