CrossCurve, a cross-chain bridge and liquidity protocol, confirmed a major hack that drained about $3 million in crypto. The loss occurred across several connected networks, not just a single chain.
The team disclosed the breach in a post on X and told users to stop using the protocol while it investigated. A key liquidity pool in the PortalV2 contract dropped from roughly $3 million to nearly zero during the attack.
Security analysts traced the exploit to a vulnerability in a contract called ReceiverAxelar. This contract is supposed to check cross-chain messages before unlocking tokens on the destination chain.
The Smart Contract Flaw Behind The Breach
Experts found that the ReceiverAxelar contract failed to validate incoming cross-chain messages. The attacker could call a function named expressExecute using spoofed messages that looked legitimate.
Because gateway checks were missing or weak, the contract accepted the forged messages and triggered the PortalV2 contract to release tokens. Those tokens were never actually locked on the source chain, so the protocol effectively paid out unbacked assets.
Blockchain security firm BlockSec described the issue as a “lack of validation” on the cross-chain path. The firm warned that cross-chain systems still rely too heavily on a single validation path, which can collapse if a single check fails.
CrossCurve’s 72-Hour Ultimatum And Bounty
Soon after the hack, CrossCurve’s CEO, Boris Povar, said the team had identified ten Ethereum addresses that received the misdirected funds. He stressed that the tokens were taken from users because of the bug, not through any normal transfer.
The project published these addresses and asked the holders to cooperate in returning the assets. CrossCurve said it had not yet observed clear malicious intent from some recipients and was treating them as possible white hats.
To encourage refunds, CrossCurve offered a bounty of up to 10 percent of the recovered funds for those who returned tokens within 72 hours. The remaining 90 percent must be sent to the specific recovery address the project shared publicly.
If there is no response or refund within 72 hours from a specific Ethereum block height, CrossCurve plans to escalate. Its alternatives include filing criminal complaints, pursuing civil litigation, collaborating with exchanges and stablecoin issuers to freeze funds, and publishing full wallet information with assistance from analytics firms such as Chainalysis and TRM Labs.
READ MORE: Crypto Crash Today: Is it Safe to Buy the Dip as Fear and Greed Index Slips?
