Update (Feb. 2, 12:20 am UTC): This article has been updated to add a post by CrossCurve CEO Boris Povar.
Crypto protocol CrossCurve said its cross-chain bridge has been attacked, with $3 million reportedly exploited across multiple networks.
CrossCurve posted to X late on Sunday that its bridge was “under attack, involving the exploitation of a vulnerability in one of the smart contracts used.”
“Please pause all interactions with CrossCurve while the investigation is ongoing,” it added.
Defimon Alerts, an X account linked to the blockchain security company Decurity, reported that CrossCurve was exploited for around $3 million “on several networks.”
It added that one of CrossCurve’s smart contracts allowed anyone to spoof a message to bypass validation and unlock tokens.
“Anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2,” Defimon Alerts said.
Curve Finance, which has partnered with CrossCurve, posted on X that users who allocated to CrossCurve pools “may wish to review their positions and consider removing those votes.”
“We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects,” it added.
CrossCurve offers 10% bounty if funds returned in 72 hours
In an attempt to contact the attacker, CrossCurve CEO Boris Povar shared 10 addresses he said had received tokens from the exploit and offered a reward for their return within 72 hours.
“These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent,” he said. “We hope for your cooperation in returning the funds.”
Povar offered up to a 10% bounty if the funds were returned within 72 hours of the attack.
Related: Step Finance treasury wallets breached, $27M in SOL drained as STEP crashes 90%
“If the funds are not returned or no contact is established within 72 hours, we will have to assume there is malicious intent and treat this as a judicial matter,” he added.
Povar said CrossCurve was prepared to work with law enforcement, file civil lawsuits to recover damages, and coordinate with authorities and other crypto projects to freeze assets if the funds were not returned.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops