TLDR:
- CrossCurve’s ReceiverAxelar contract lacked validation checks, enabling attackers to spoof messages.
- The exploit drained approximately $3 million from PortalV2 across multiple blockchain networks.
- Security experts compare the incident to Nomad’s 2022 bridge hack that lost $190 million in funds.
- Curve Finance advised users to review positions in EYWA-related pools following the security breach.
CrossCurve, a cross-chain liquidity protocol formerly known as EYWA, confirmed a security breach on Sunday that drained approximately $3 million from its bridge infrastructure.
The attack exploited a validation vulnerability in the protocol’s smart contracts, prompting the team to urge users to halt all platform interactions.
The incident affects multiple blockchain networks and raises concerns about bridge security practices in decentralized finance.
Missing Validation Check Enables Unauthorized Token Withdrawals
The exploit targeted a critical weakness in CrossCurve’s ReceiverAxelar contract, according to blockchain security account Defimon Alerts.
Attackers bypassed gateway validation by calling the expressExecute function with fabricated cross-chain messages.
This manipulation triggered unauthorized token unlocks from the protocol’s PortalV2 contract without proper verification.
Data from Arkham Intelligence revealed the PortalV2 contract’s balance collapsed from roughly $3 million to nearly zero on January 31.
The attack spread across multiple networks connected to CrossCurve’s bridge infrastructure. Security expert Taylor Monahan drew comparisons to Nomad’s $190 million bridge hack in 2022, which saw over 300 wallets drain funds simultaneously.
“I cannot believe nothing has changed in four years,” Monahan stated when analyzing the exploit’s similarities to previous bridge vulnerabilities.
The ReceiverAxelar contract lacked essential validation checks that should have prevented spoofed messages from executing token transfers. This fundamental oversight allowed attackers to manipulate the system and extract funds systematically.
CrossCurve issued an urgent notice on X acknowledging the ongoing attack. “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” the team announced.
The protocol requested users pause all CrossCurve interactions while investigators assessed the damage and identified remediation steps.
Protocol’s Security Claims Contradicted by Exploit Mechanics
CrossCurve operates a cross-chain DEX and consensus bridge developed alongside Curve Finance. The platform employs a Consensus Bridge mechanism routing transactions through multiple validation protocols including Axelar, LayerZero, and the EYWA Oracle Network. This architecture aimed to eliminate single points of failure in cross-chain operations.
The project previously marketed its security framework as superior to competitors. Protocol documentation claimed “the probability of several crosschain protocols getting hacked at the same time is near zero.”
However, the exploit bypassed these protections by targeting the validation layer rather than the consensus mechanism itself.
Curve Finance founder Michael Egorov invested in the protocol during September 2023. CrossCurve later disclosed raising $7 million from venture capital firms to expand operations.
The protocol rebranded from EYWA Protocol while maintaining its core bridge technology and partnership relationships.
Curve Finance responded to the incident by advising users with allocations in EYWA-related pools. “Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” the platform stated on X.
The organization encouraged participants to exercise caution when engaging with third-party protocols and make risk-aware decisions.
The post CrossCurve Bridge Exploited for $3 Million Through Smart Contract Validation Flaw appeared first on Blockonomi.
Source: https://blockonomi.com/crosscurve-bridge-exploited-for-3-million-through-smart-contract-validation-flaw/
