CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit

Decentralized finance protocol CrossCurve, previously often called EYWA, says it has publicly recognized ten Ethereum addresses linked to a hack of its token switch system on Sunday.

CrossCurve disclosed Sunday afternoon that an attacker exploited a flaw “involving the exploitation of a vulnerability in one of many sensible contracts” used for its cross-chain bridge, a system that lets customers transfer tokens between completely different blockchains.

Hours later, CrossCurve CEO Boris Povar stated the workforce had recognized ten Ethereum addresses that acquired the funds in query.

“These tokens have been wrongfully taken from customers on account of a sensible contract exploit,” Povar stated. “We don’t consider this was intentional in your half, and there’s no indication of malicious intent.”

]]>

Povar warned that if the funds should not returned or no contact is established inside 72 hours, their workforce would “assume malicious intent and deal with the matter as a judicial challenge.”

Failure to return the funds would set off instant escalation, together with legal referrals, civil litigation, coordination with exchanges and issuers to freeze property, public disclosure of pockets and transaction information, and cooperation with regulation enforcement and blockchain analytics corporations, Povar added.

A sensible contract is a program that runs on a blockchain and mechanically executes transactions based on predefined guidelines.

Defimon Alerts, a social account run by blockchain safety agency Decurity, supplied an preliminary estimate that the exploit resulted in losses of round $3 million throughout “a number of networks,” including that the flaw let an attacker ship a faux cross-chain message on CrossCurve’s sensible contract that bypassed checks and prompted the bridge to launch funds.

Blockchain safety agency BlockSec, in the meantime, estimated whole losses at about $2.76 million, together with roughly $1.3 million on Ethereum and about $1.28 million on Arbitrum, in addition to a number of chains, together with Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.

CrossCurve has not publicly confirmed the loss estimate cited by safety corporations, and has not shared its personal determine for the funds affected. Decrypt has reached out to CrossCurve for remark.

The exploit stemmed from a “lack of validation,” the workforce at BlockSec instructed Decrypt.

“The cross‑chain messages that ought to have been validated weren’t verified, inflicting the vacation spot‑chain contract to consider the message mirrored a real transaction initiated on the supply chain and to launch the corresponding property primarily based on attacker‑cast payload information,” BlockSec stated.

The incident exhibits that “cross-chain safety nonetheless leans too closely on a single validation pathway,” BlockSec added. “If any alternate execution path bypasses that verify, your entire belief mannequin collapses.”

“This exploit wasn’t a failure of Axelar’s core protocol; it was a receiver-side failure,” Dan Dadybayo, analysis and technique lead at Unstoppable Pockets, instructed Decrypt. “CrossCurve’s customized ReceiverAxelar contract executed cross-chain messages with out sufficiently authenticating them first.”  

Dadybayo stated this sample has been seen earlier than in instances like Nomad’s 2022 hack.

“The arduous a part of bridge safety isn’t the messaging layer, it’s ensuring nothing occurs till authenticity is absolutely confirmed,” he added. “Customized receivers stay the weakest hyperlink. So long as bridges focus liquidity and depend on bespoke validation logic, they may proceed to be the highest-risk floor in DeFi.”