Cross-chain liquidity protocol CrossCurve said its bridge was exploited on Feb. 2, with security monitors estimating roughly $3 million in losses across multiple networks.
The protocol urged users to pause interactions while it investigated.
Later, CEO Boris Povar published 10 Ethereum addresses he said received funds and offered a bounty of up to 10% if the assets were returned within 72 hours, warning that the project would pursue legal action if no contact was made.
CrossCurve said on Feb. 2 that its bridge was “under attack,” due to the exploitation of a vulnerability in one of the smart contracts used in its cross-chain system.
The exploit allowed an attacker to spoof a message to bypass validation and unlock tokens.
One quoted description said an attacker could call an “express” execution path on a receiver contract using a forged cross-chain message, then trigger an unlock on a portal contract.
CrossCurve has not published a full post-mortem or confirmed a final loss figure. Separate estimates clustered around $3 million.
In a follow-up post, Povar said the team identified 10 Ethereum addresses associated with received funds and set a 72-hour window to return the assets or make contact before escalation.
He said the project was prepared to pursue civil and criminal remedies and coordinate with industry partners to freeze assets.
CrossCurve did not immediately respond to a request for comment on the specific bug, the final loss amount, or a timeline for reopening.
A separate warning came from Curve Finance, which said users allocated to CrossCurve pools “may wish to review their positions” and consider removing votes, urging “risk-aware decisions” when interacting with third parties.
Bridge exploits often look like “just a smart contract bug.” The deeper pattern is verification failure.
A bridge is a promise: release assets on Chain B because something real happened on Chain A. The hard part is proving that “something real” without trusting an attacker’s message.
In general message passing, the destination contract is supposed to verify that a call was approved by the validator set by checking with the gateway (for example, via a validation function) before executing.
If a receiver contract accepts an alternate path that skips or weakens that check, a forged message can become a payout.
That’s why the “receiver side” matters as much as the messaging layer.
A protocol can route messages through reputable infrastructure and still lose funds if its own destination contract implements permissive logic, unsafe fast paths, or incorrect assumptions about upstream guarantees.
CrossCurve’s own documentation frames cross-chain risk as a “black swan” category and describes a design goal of routing through multiple independent validation protocols (“Consensus Bridge”) to reduce single points of failure.
But even multi-path designs can be undermined by a weak integration contract at the edge.
Users want bridging to feel instant: fewer clicks, less waiting, faster finality.
Security wants the opposite: more confirmations, tighter limits, and “do nothing unless you’re sure.”
Some cross-chain stacks explicitly offer speed features like “express” execution, where off-chain actors can accelerate delivery of an intended outcome.
The trade-off is that fast paths demand extra care in how authenticity is enforced, because the system is trying to move before the slowest proofs arrive.
This tension is why bridge hacks stay evergreen. Bridges concentrate liquidity, and a single verification bypass can unlock assets across multiple networks in one run.
CrossCurve has not yet released a full incident report. In most bridge incidents, the next signals that matter are:
For now, the takeaway is familiar and still useful: cross-chain bridges remain one of crypto’s most repeatable failure points, because “truth across chains” is a hard engineering problem with real money behind every assumption.
This is a developing story and will be updated.
You’re All Set!
Thanks for signing up. We’ll be in touch soon with the latest insights.
