Verify a decision

{"actor":"system:backfill","investigation_id":"352986c8-e69e-447e-82cc-2cde4fc2c80d","kind":"publish","page_slug":"crosscurve-bridge","published_at":"2026-05-28T03:23:08.277Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"CrossCurve Bridge","sections":[{"content":"On February 2, 2026, CrossCurve confirmed its bridge infrastructure was under active attack. The exploit drained approximately $3 million from the protocol's PortalV2 contracts across multiple blockchain networks. According to security monitors including Defimon Alerts, the vulnerability allowed anyone to call the expressExecute function on the ReceiverAxelar contract with a spoofed cross-chain message. Because the contract lacked rigorous caller verification, it treated the attacker's fabricated payload as a legitimate cross-chain instruction from the Axelar gateway, triggering unauthorized token releases from PortalV2 without any corresponding deposit on the source chain. On-chain data tracked by Arkham Intelligence reportedly showed the PortalV2 contract balance dropping to near zero around January 31, approximately one day before the public announcement. The attacker subsequently swapped, bridged, and laundered the stolen tokens in an attempt to obscure their trail.","heading":"February 2026 Smart Contract Exploit","severity":"critical","sources":[{"credibility":2,"name":"CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages — The Block","type":"news_article","url":"https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages"},{"credibility":2,"name":"$3 Million Reportedly Lost in CrossCurve Bridge Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/crosscurve-bridge-exploit-loss/"},{"credibility":2,"name":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"credibility":2,"name":"CrossCurve exploited for $3 million in multi-network bridge attack — Crypto.news","type":"news_article","url":"https://crypto.news/crosscurve-exploited-for-3-million-in-multi-network-bridge-attack/"}]},{"content":"Security firm Halborn analyzed the exploit and attributed it to weak access controls in the ReceiverAxelar contract's expressExecute-like functions. These functions were intended to accept messages exclusively from the Axelar gateway, but lacked validation sufficient to enforce that restriction. An attacker could craft an arbitrary message instructing the contract to release a specified number of tokens to a chosen address. Because the contract failed to verify that the message genuinely originated from Axelar, it processed the spoofed payload as legitimate, causing the PortalV2 contract to unlock assets without any on-chain deposit backing them. BlockSec characterized the root cause as over-reliance on a single validation pathway, noting that cross-chain systems that depend on one validation path create exploitable single points of failure. CrossCurve's architecture incorporated Axelar, LayerZero, and its own EYWA Oracle Network as validation layers, but the ReceiverAxelar contract's individual access control gap was sufficient for the attacker to circumvent the intended multi-pathway design.","heading":"Technical Vulnerability: Weak Access Controls in ReceiverAxelar","severity":"critical","sources":[{"credibility":2,"name":"Explained: The CrossCurve Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-crosscurve-hack-february-2026"},{"credibility":3,"name":"The CrossCurve $3M Bridge Exploit: How One Missing Check Let Attackers Forge Cross-Chain Messages — DEV Community","type":"research","url":"https://dev.to/ohmygod/the-crosscurve-3m-bridge-exploit-how-one-missing-check-let-attackers-forge-cross-chain-messages-516m"},{"credibility":2,"name":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"}]},{"content":"Following the attack, CrossCurve CEO Boris Povar immediately suspended platform operations and warned users to pause all interactions with the protocol. The team identified ten Ethereum wallet addresses that received the stolen tokens and issued a 72-hour deadline — measured from block 24364392 — for the funds to be returned or for direct contact to be established. CrossCurve invoked its SafeHarbor WhiteHat policy, offering up to 10% of recovered funds (approximately $300,000) as a bounty for any party that returned the remaining 90%. The team stated that parties wishing to remain anonymous could return assets to a designated wallet address. Upon expiry of the deadline without contact, CrossCurve indicated it would pursue criminal complaints, civil litigation, coordination with centralized exchanges and stablecoin issuers to freeze assets, public disclosure of wallet data, and collaboration with blockchain analytics firms including Chainalysis and law enforcement agencies. There is no publicly reported confirmation as of the investigation date that any funds were recovered.","heading":"Team Response and SafeHarbor WhiteHat Policy","severity":"high","sources":[{"credibility":2,"name":"$3 Million Reportedly Lost in CrossCurve Bridge Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/crosscurve-bridge-exploit-loss/"},{"credibility":2,"name":"CrossCurve Bridge Exploited for $3M After Spoofed Cross-Chain Messages — CoinEdition","type":"news_article","url":"https://coinedition.com/crosscurve-bridge-exploited-for-3m-after-spoofed-cross-chain-messages/"},{"credibility":2,"name":"CrossCurve exploited for $3 million in multi-network bridge attack — Crypto.news","type":"news_article","url":"https://crypto.news/crosscurve-exploited-for-3-million-in-multi-network-bridge-attack/"}]},{"content":"CrossCurve is the rebranded product of EYWA Protocol, a cross-chain liquidity and consensus bridge project. In May 2024, EYWA completed a $7 million seed round led by Curve Finance founder Michael Egorov, with participation from Fenbushi Capital, GBV Capital, Big Brain Holdings, Marshland Capital, and Mulana Capital, bringing total reported funding to over $8.5 million across private and public rounds. CrossCurve was developed as a joint product between EYWA and Curve Finance, designed to enable low-slippage cross-chain swaps of stablecoins and other assets by routing through Curve's deep liquidity pools. The protocol supported Ethereum, BNB Chain, Polygon, Avalanche, Arbitrum, and Optimism at the time of the exploit. The consensus bridge architecture was intended to reduce single points of failure by routing transactions through multiple independent validation protocols — Axelar, LayerZero, and the EYWA Oracle Network — though the February 2026 exploit demonstrated that individual contract-level access controls remained a critical vulnerability surface.","heading":"Project Background: EYWA Protocol and Curve Finance Backing","severity":"low","sources":[{"credibility":2,"name":"Top VCs Join EYWA's Seed Round Led by Curve's Founder — The Defiant (via Yahoo Finance)","type":"news_article","url":"https://finance.yahoo.com/news/top-vcs-join-eywas-seed-213000700.html"},{"credibility":2,"name":"EYWA: DeFi innovation backed by industry titans — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/eywa-defi-innovation-backed-by-industry-titans/"},{"credibility":2,"name":"Seed Round — CrossCurve Metelayer — Crunchbase","type":"other","url":"https://www.crunchbase.com/funding_round/eywa-e9b6-seed--adf2938f"}]},{"content":"The CrossCurve exploit is part of a broader surge in cross-chain bridge attacks in 2026. PeckShield tracked 8 major bridge exploits totaling approximately $328.6 million through mid-May 2026, listing CrossCurve among the affected protocols alongside THORchain, ZetaChain, KelpDAO, HyperBridge, Squid Router, and IoTeX. The year-to-date figure includes a reported $300 million KelpDAO LayerZero breach and a reported $200 million Drift Protocol incident in April 2026, which collectively dwarf the CrossCurve loss in scale. CCN and other outlets noted that the CrossCurve incident rekindled concerns about cross-chain risk, given the persistent difficulty of validating message authenticity across heterogeneous blockchain environments. KuCoin research described 2026 as a year in which bridge exploits and sophisticated operations collectively drove over $750 million in total crypto losses through mid-year.","heading":"Broader 2026 Bridge Exploit Context","severity":"medium","sources":[{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as Peckshield Tracks 8 Major Incidents — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations Drive Over $750 Million in Losses — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"},{"credibility":2,"name":"CrossCurve Bridge Exploit Drains About $3M, Rekindling Cross-Chain Risk — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/crosscurve-bridge-exploit-3m-cross-chain-risk-hack/"}]}],"sources_used":[{"credibility":2,"name":"Explained: The CrossCurve Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-crosscurve-hack-february-2026"},{"credibility":2,"name":"CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages — The Block","type":"news_article","url":"https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages"},{"credibility":2,"name":"$3 Million Reportedly Lost in CrossCurve Bridge Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/crosscurve-bridge-exploit-loss/"},{"credibility":2,"name":"CrossCurve Bridge Exploit Drains About $3M, Rekindling Cross-Chain Risk — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/crosscurve-bridge-exploit-3m-cross-chain-risk-hack/"},{"credibility":2,"name":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"credibility":2,"name":"CrossCurve exploited for $3 million in multi-network bridge attack — Crypto.news","type":"news_article","url":"https://crypto.news/crosscurve-exploited-for-3-million-in-multi-network-bridge-attack/"},{"credibility":2,"name":"CrossCurve Bridge Exploited for $3M After Spoofed Cross-Chain Messages — CoinEdition","type":"news_article","url":"https://coinedition.com/crosscurve-bridge-exploited-for-3m-after-spoofed-cross-chain-messages/"},{"credibility":3,"name":"The CrossCurve $3M Bridge Exploit: How One Missing Check Let Attackers Forge Cross-Chain Messages — DEV Community","type":"research","url":"https://dev.to/ohmygod/the-crosscurve-3m-bridge-exploit-how-one-missing-check-let-attackers-forge-cross-chain-messages-516m"},{"credibility":2,"name":"Top VCs Join EYWA's Seed Round Led by Curve's Founder — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/top-vcs-join-eywas-seed-213000700.html"},{"credibility":2,"name":"EYWA: DeFi innovation backed by industry titans — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/eywa-defi-innovation-backed-by-industry-titans/"},{"credibility":2,"name":"Seed Round — CrossCurve Metelayer — Crunchbase","type":"other","url":"https://www.crunchbase.com/funding_round/eywa-e9b6-seed--adf2938f"},{"credibility":2,"name":"Crypto Bridge Exploits Hit $328.6M in May as Peckshield Tracks 8 Major Incidents — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations Drive Over $750 Million in Losses — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"},{"credibility":2,"name":"CrossCurve Bridge Exploit: $3M Loss Due to Fabricated Message Vulnerability — KuCoin News","type":"news_article","url":"https://www.kucoin.com/news/articles/crosscurve-bridge-exploit-3m-loss-due-to-fabricated-message-vulnerability"},{"credibility":2,"name":"$3M CrossCurve Bridge Cyberattack Exposes Validation Flaw — The Cyber Express","type":"news_article","url":"https://thecyberexpress.com/crosscurve-bridge-3m-cyberattack/"}],"summary":"CrossCurve Bridge is a cross-chain liquidity protocol formerly known as EYWA, built in partnership with Curve Finance and backed by Curve founder Michael Egorov. On February 2, 2026, the protocol was exploited for approximately $3 million after attackers discovered that its ReceiverAxelar smart contract failed to validate the origin of cross-chain messages, allowing fabricated instructions to drain PortalV2 contracts across multiple networks. The team invoked a SafeHarbor WhiteHat policy offering a 10% bounty, while threatening legal escalation if funds were not returned within 72 hours.","timeline":[{"date":"2023-09-01","event":"Curve Finance founder Michael Egorov invested in EYWA Protocol (CrossCurve's predecessor), establishing the Curve partnership.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/eywa-defi-innovation-backed-by-industry-titans/"},{"date":"2024-05-03","event":"EYWA Protocol completed a $7 million seed round led by Michael Egorov, with participation from Fenbushi Capital, GBV Capital, Big Brain Holdings, Marshland Capital, and Mulana Capital.","source":"Yahoo Finance / The Defiant","source_url":"https://finance.yahoo.com/news/top-vcs-join-eywas-seed-213000700.html"},{"date":"2026-01-31","event":"On-chain data reportedly showed the CrossCurve PortalV2 contract balance dropping to near zero, approximately one day before the public announcement of the exploit.","source":"Crypto.news (citing Arkham Intelligence)","source_url":"https://crypto.news/crosscurve-exploited-for-3-million-in-multi-network-bridge-attack/"},{"date":"2026-02-02","event":"CrossCurve publicly confirmed its bridge was under active attack. Approximately $3 million was drained from PortalV2 contracts across multiple networks via spoofed cross-chain messages to the ReceiverAxelar contract.","source":"BeInCrypto","source_url":"https://beincrypto.com/crosscurve-bridge-exploit-loss/"},{"date":"2026-02-02","event":"CrossCurve CEO Boris Povar identified 10 Ethereum addresses receiving stolen funds and issued a 72-hour SafeHarbor ultimatum offering a 10% bounty (~$300,000) for fund return, with threats of criminal and civil escalation upon non-compliance.","source":"BanklessTimes","source_url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"date":"2026-02-02","event":"Halborn published a technical post-mortem attributing the exploit to weak access controls in the ReceiverAxelar contract's expressExecute function, which failed to enforce that messages originated from the Axelar gateway.","source":"Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-crosscurve-hack-february-2026"},{"date":"2026-05-01","event":"PeckShield published a report counting CrossCurve among 8 bridge exploits totaling $328.6 million year-to-date in 2026.","source":"Bitcoin.com News","source_url":"https://news.bitcoin.com/crypto-bridge-exploits-328-million-may-2026-peckshield/"}]},"v":1}