CROSSCURVE SMART CONTRACT EXPLOITED, DEFI PROTOCOL LOSES $3M ON MULTIPLE CHAINS
Cross-chain bridge CrossCurve announced on Monday that it experienced a major security breach, resulting in a loss of $3 million across multiple blockchain networks. The incident highlights ongoing vulnerabilities in cross-chain infrastructure and raises questions about the security of interconnected DeFi protocols.
The platform warned users to suspend all interactions with CrossCurve until further notice.
Smart Contract Vulnerability Exploited
According to CrossCurve, attackers exploited a flaw in the protocol’s smart contracts, sending token funds to certain user addresses that were “wrongfully taken” from other users.
“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” CrossCurve said, identifying 10 affected addresses.
Blockchain security account Defimon Alerts explained that the vulnerability lay in CrossCurve’s Receiver Axelar contract. Attackers were able to spoof cross-chain messages, bypassing gateway validation and triggering unauthorized token unlocks in the PortalV2 contract.
Curve Finance also advised users who have allocated votes to protocol-related pools to review their positions and consider removing those votes.
POLYGON PRICE SET FOR UPSIDE AS SHIFT4 INTRODUCES 24/7 STABLECOIN PAYMENTS
CrossCurve’s Background
The protocol is backed by Curve Finance founder Michael Egorov and raised $7 million from venture capital firms in 2023. It operates as a cross-chain bridge, facilitating token transfers between different blockchain networks.
White-Hat Bounty Offered
CrossCurve is offering a 10% white-hat bounty for the recovery of funds. Under the Safe Harbor Responsible Disclosure Policy:
Hackers can retain up to 10% of the stolen funds if the remainder is returned.
The project has set a 72-hour deadline for effective communication and fund recovery.
If the funds are not returned within this period, CrossCurve plans to escalate the matter, which may include:
- Formal criminal and civil proceedings
- Collaboration with exchanges like Coinbase and Binance
Coordination with stablecoin issuers, law enforcement, and blockchain analytics firms, including Chainalysis, TRM Labs, and Elliptic.
Comparison to Previous Cross-Chain Hacks
The CrossCurve exploit is reminiscent of the Nomad bridge hack in 2022, which saw a loss of $190 million and affected around 8,000 Solana wallets.
BITCOIN OPTIONS EXPIRY NEARS AS BULLS TARGET UPSIDE WITH $23B AT STAKE ON DEC. 26
Andrew Morfill, Chief Information Security Officer at Komainu, commented on preventive measures:
“Using industry-standard, audited smart contract templates, secure software development lifecycles, and continuous updates will enhance credibility and security as the market matures.”
What This Means for Users
The hack underscores the risks of cross-chain bridges and DeFi platforms. Users are advised to:
- Pause interactions with the affected bridge
- Monitor updates from CrossCurve
- Consider reviewing allocations and votes in related pools
While the bounty incentivizes fund recovery, the incident highlights the importance of audits, security practices, and cautious participation in DeFi.
