Cross-chain protocol CrossCurve has confirmed an active security incident after attackers exploited a flaw in one of its bridge-related smart contracts, draining roughly $3 million in assets across multiple blockchain networks.
- CrossCurve suffered an estimated $3 million loss after a flaw allowed spoofed cross-chain messages to bypass validation.
- The exploit targeted bridge-related smart contracts and affected multiple networks.
- Partners and users are being urged to reassess exposure as investigations remain ongoing.
The team acknowledged the breach in a public statement, warning users to immediately halt all interactions with CrossCurve while an internal investigation is underway. According to the protocol, the attack stems from a vulnerability tied to its cross-chain infrastructure rather than user-facing applications.
How the exploit unfolded
Blockchain security monitor Defimon Alerts traced the incident to a weakness in a contract linked to CrossCurve’s Axelar-based message handling. The flaw allowed malicious actors to forge cross-chain messages and bypass standard validation checks, ultimately triggering unauthorized token unlocks on the PortalV2 contract.
In practical terms, attackers were able to call a privileged execution function using spoofed data, giving them access to funds that should have remained locked. On-chain data indicates the exploit was carried out on several networks, suggesting a coordinated and automated attack rather than a single isolated transaction.
Multiple attacker addresses have already been identified, and fund movements show a rapid outflow shortly after the exploit was initiated.
Protocol response and ecosystem impact
CrossCurve stated that it is actively working with security partners to assess the full scope of the damage and determine whether additional contracts may be affected. No timeline has been given yet for a potential fix or the resumption of normal operations.
The incident has also prompted caution from partners in the broader DeFi ecosystem. Curve Finance, which has existing integrations with CrossCurve, advised users exposed to CrossCurve-linked pools to reassess their positions and consider withdrawing governance support tied to those allocations.
While Curve emphasized that its own core contracts remain unaffected, the message underscored growing concerns around third-party risk, particularly in cross-chain systems where complexity can amplify the impact of a single vulnerability.
Cross-chain security under renewed scrutiny
This latest exploit adds to a growing list of bridge-related incidents, reinforcing long-standing warnings from security researchers about the risks of cross-chain message verification. Even protocols with strong liquidity and reputable partners remain vulnerable if validation layers can be circumvented.
As investigations continue, users are being urged to monitor official updates closely and avoid interacting with CrossCurve contracts until a full post-mortem and remediation plan are released.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Source: https://coindoo.com/another-cross-chain-protocol-falls-victim-to-bridge-exploit/