CrossCurve DeFi Protocol Smart Contract Hacked, Resulting in $3M Loss on Various Chains

Cross-chain bridge CrossCurve announced on Monday that it has experienced a significant attack, resulting in a loss of $3 million across various networks.

The DeFi protocol indicated that a weakness in its smart contracts had been exploited, raising alarm about the security of cross-chain infrastructure.

“Our bridge is currently under attack,” it stated on X, advising users to halt all interactions with CrossCurve.

URGENT Security Notice
Dear users,
Our bridge is currently under attack, involving the exploitation of a flaw in one of the utilized smart contracts.
Please suspend all interactions with CrossCurve while the investigation is underway.
We appreciate your patience and… pic.twitter.com/yfo1KvWoDd

— CrossCurve (@crosscurvefi) February 1, 2026

Smart Contract Vulnerability: Attackers Utilized Spoofed Messages

According to the CrossCurve post, certain user addresses received token funds that were “improperly taken” from other users due to the vulnerability in the smart contract.

“We do not believe this was intentional on your part, and there is no evidence of malicious intent. We seek your cooperation in returning the funds,” the platform stated, identifying a total of 10 addresses.

As per the blockchain security account Defimon Alerts, a vulnerable smart contract known as ReceiverAxelar on CrossCurve allowed anyone to spoof cross-chain messages, circumventing the gateway validation. This led to unauthorized token unlocks on the PortalV2 contract.

CrossCurve @crosscurvefi (ex https://t.co/4HJ33uOZUS) has been exploited for approximately 3 million across multiple networks.
Anyone could invoke expressExecute on the ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlocks on PortalV2.… pic.twitter.com/EfYe3Tfo9v

— Defimon Alerts (@DefimonAlerts) February 1, 2026

Furthermore, Curve Finance advised users who have cast votes for the platform-related pools to “consider reviewing their positions and potentially withdrawing those votes.”

The protocol is supported by Curve Finance founder Michael Egorov and secured $7 million from venture capitalists in 2023.

CrossCurve Offers 10% White Hat Bounty, Establishes 72-Hour Deadline

According to the Safe Harbor Responsible Disclosure Policy, which outlines the procedures for responsibly reporting security vulnerabilities, a 10% bounty will be awarded if a white-hat hacker assists in recovering the funds.

“This makes you eligible to retain up to 10% if the remaining funds are returned,” the project team highlighted.

Additionally, CrossCurve has imposed a 72-hour deadline for hackers to return the funds. If effective communication is not established, the project team will escalate the matter immediately.

This escalation includes formal criminal and civil actions, working with exchanges such as Coinbase and Binance, stablecoin issuers, law enforcement agencies, and on-chain analytics firms, including Chainalysis, TRM Labs, and Elliptic.

The CrossCurve hack bears similarities to Nomad’s $190 million bridge exploit in 2022, which compromised an estimated 8000 Solana wallets.

“In terms of prevention, adopting a standard set of secure smart contract templates, conducting smart contract audits, and implementing secure software development lifecycles would be positive steps,” Andrew Morfill, Chief Information Security Officer at Komainu, told Cryptonews. “As the market evolves, protocols that are securely developed and updated with genuine utility will provide the credibility and security assurance that investors seek.”

The post DeFi Protocol CrossCurve Smart Contract Exploited, Suffers $3M Loss Across Multiple Chains appeared first on Cryptonews.