Verify a decision

{"actor":"system:backfill","investigation_id":"5f8cd172-049b-43de-a6aa-f72f42130964","kind":"publish","page_slug":"crosscurve-formerly-eywa-bridge-exploit-feb-2026","published_at":"2026-06-08T02:45:41.154Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"CrossCurve (formerly EYWA) Bridge Exploit (Feb 2026)","sections":[{"content":"CrossCurve is a cross-chain DEX and MetaLayer protocol that operates under the EYWA Protocol brand, with its primary product marketed as CrossCurve MetaLayer. The EYWA project was founded in December 2020 and developed a cross-chain liquidity bridge leveraging Curve Finance's deep liquidity pools. Curve Finance founder Michael Egorov became a backer in September 2023, and the project subsequently reported raising approximately $7–8.5 million across private and public funding rounds, with investors including Fenbushi Capital and GBV Capital. The protocol is led by CEO Boris Povar. EYWA and CrossCurve are not distinct rebrands in the traditional sense; rather, the EYWA Protocol brand has been used to refer to the infrastructure layer, while CrossCurve is the product and DeFi-facing name. Both the eywa.fi and crosscurve.fi domains serve the same protocol. The protocol deployed bridge contracts using Axelar's General Message Passing (GMP) SDK to enable cross-chain token transfers.","heading":"Protocol Background and EYWA–CrossCurve Rebrand","severity":"low","sources":[{"credibility":2,"name":"EYWA/CrossCurve Tokenomics Documentation","type":"official","url":"https://docs.eywa.fi/eywa-token/tokenomics-eywa-crosscurve"},{"credibility":2,"name":"Top VCs Join EYWA's Seed Round Led by Curve's Founder — The Defiant","type":"news_article","url":"https://thedefiant.io/news/press-releases/top-vcs-join-eywas-seed-round-led-by-curves-founder"},{"credibility":2,"name":"CrossCurve Metelayer — Crunchbase Company Profile","type":"other","url":"https://www.crunchbase.com/organization/eywa-e9b6"},{"credibility":3,"name":"The Origin and Evolution of EYWA — MEXC Crypto Pulse","type":"news_article","url":"https://www.mexc.co/crypto-pulse/article/the-origin-and-evolution-of-eywa-424"}]},{"content":"On February 1, 2026 at 18:38:23 UTC (Ethereum block 24,363,854), an attacker exploited CrossCurve's PortalV2 bridge contracts across multiple chains by abusing an unprotected expressExecute() function in the ReceiverAxelar smart contract. The attack drained the PortalV2 contract — which held approximately $3 million in total value — to near zero. Security firms analyzing the incident report differing loss figures reflecting the composition of stolen assets. Olympix and QuillAudits place confirmed liquid losses at approximately $1,441,892 — comprising USDT and other tokens on Arbitrum swapped to WETH via CoW Protocol and bridged to Ethereum via Across Protocol. The Block and Decrypt reported the figure as approximately $3 million, reflecting the total pre-exploit PortalV2 balance including approximately 999,787,453 EYWA tokens that were extracted to the attacker's Ethereum wallet but were effectively illiquid due to the absence of on-chain liquidity and subsequent exchange freezes on EYWA deposits. BlockSec estimated total losses at approximately $2.76 million, allocating roughly $1.3 million to Ethereum and $1.28 million to Arbitrum. The most conservative and methodologically precise figure from post-mortem security analysis is approximately $1.44 million in realized liquid losses; the widely-cited $3 million figure represents total PortalV2 TVL drained. No funds have been recovered as of the investigation date.","heading":"Exploit Overview and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"CrossCurve Exploit Post-Mortem: $1.4M Lost to a Missing Access Control Check — Olympix","type":"research","url":"https://olympixai.medium.com/crosscurve-exploit-post-mortem-1-4m-lost-to-a-missing-access-control-check-c128e0aeb360"},{"credibility":2,"name":"Cross Curve $1.4M Implementation Bug [Explained] — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/cross-curve-exploit"},{"credibility":1,"name":"CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages — The Block","type":"news_article","url":"https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages"},{"credibility":1,"name":"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit — Decrypt","type":"news_article","url":"https://decrypt.co/356599/crosscurve-legal-action-3m-cross-chain-bridge-exploit"},{"credibility":2,"name":"EYWA PortalV2 Axelar Exploit Analysis — DarkNavy","type":"research","url":"https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/"},{"credibility":2,"name":"CrossCurve's $3M Bridge Exploit — BlockEden.xyz","type":"research","url":"https://blockeden.xyz/blog/2026/03/16/crosscurve-3m-bridge-exploit-axelar-gateway-fabricated-cross-chain-messages/"}]},{"content":"The vulnerability resided in the ReceiverAxelar smart contract (deployed at 0xb2185950f5a0a46687ac331916508aada202e063 on Ethereum), which inherited from Axelar's AxelarExpressExecutable base contract (SDK v5.10). The base contract provides two execution pathways: execute(), which calls validateContractCall() to verify a message's origin from the Axelar Gateway, and expressExecute(), a fast-path function designed for expedited processing that skips this validation step. CrossCurve's ReceiverAxelar contract inherited expressExecute() without overriding it or adding access controls. As a result, the function was publicly callable by any address with any fabricated payload. The attacker exploited this by: (1) generating a fresh commandId to bypass the sole implemented check (a used-commandId deduplication guard); (2) spoofing the sourceChain parameter as 'berachain' and supplying the sourceAddress 0x5eEdDcE72530e4fC96d43E3d70Fe09aD0D037175; (3) crafting an ABI-encoded payload encoding an opcode of BURN-UNLOCK instructing the PortalV2 contract to release tokens; and (4) calling expressExecute() directly on the ReceiverAxelar contract. A further contributing factor was that the Consensus threshold for certain sourceChains was configured at 1, effectively disabling multi-guardian verification and contradicting the protocol's stated security model. Cantina's post-mortem classified this as an integration blunder — CrossCurve failed to apply necessary overrides when inheriting the Axelar SDK's express execution logic, a pattern flagged as dangerous in Axelar SDK documentation.","heading":"Technical Root Cause: Missing Axelar Gateway Validation","severity":"critical","sources":[{"credibility":2,"name":"CrossCurve Bridge Hack: An Integration Blunder — Cantina","type":"research","url":"https://cantina.xyz/blog/crosscurve-bridge-hack-axelar-expressexecute"},{"credibility":2,"name":"EYWA PortalV2 Axelar Exploit Analysis — DarkNavy","type":"research","url":"https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/"},{"credibility":2,"name":"CrossCurve Exploit Post-Mortem: $1.4M Lost to a Missing Access Control Check — Olympix","type":"research","url":"https://olympixai.medium.com/crosscurve-exploit-post-mortem-1-4m-lost-to-a-missing-access-control-check-c128e0aeb360"},{"credibility":2,"name":"Explained: The CrossCurve Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-crosscurve-hack-february-2026"}]},{"content":"The primary attacker address receiving unlocked funds is 0x632400f42e96a5deb547a179ca46b02c22cd25cd. A secondary holding address is 0x851c01d014b1ad2b1266ca48a4b5578b67194834, which received the bulk of the liquid WETH proceeds after conversion. The attack transaction on Ethereum is 0x37d9b911ef710be851a2e08e1cfc61c2544db0f208faeade29ee98cc7506ccc2. The PortalV2 victim contract address is 0xac8f44ceca92b2a4b30360e5bd3043850a0ffcbe. The EYWA token contract is 0x8cb8c4263eb26b2349d74ea2cb1b27bc40709e12. Post-exploit fund movement followed a laundering path: liquid assets on Arbitrum (USDT and mixed tokens) were converted to WETH via CoW Protocol, then bridged to Ethereum using Across Protocol, where they were consolidated at the secondary address. The 999.8 million EYWA tokens extracted to the primary address remained unmoved due to the absence of sufficient on-chain liquidity and exchange-level deposit freezes. CrossCurve identified a total of ten Ethereum addresses associated with the exploit proceeds.","heading":"Attacker Addresses and Fund Movement","severity":"critical","sources":[{"credibility":2,"name":"EYWA PortalV2 Axelar Exploit Analysis — DarkNavy","type":"on_chain","url":"https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/"},{"credibility":2,"name":"Cross Curve $1.4M Implementation Bug [Explained] — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/cross-curve-exploit"},{"credibility":2,"name":"CrossCurve Bridge Hack: An Integration Blunder — Cantina","type":"research","url":"https://cantina.xyz/blog/crosscurve-bridge-hack-axelar-expressexecute"}]},{"content":"The exploit targeted the PortalV2 bridge contracts deployed across multiple EVM-compatible chains. Confirmed affected chains include Ethereum (primary Axelar receiver exploit), Arbitrum (significant liquid asset drain), Optimism, Base, Mantle, Kava, Frax, Celo, and Blast. The attack exploited the same unprotected expressExecute() function present in ReceiverAxelar deployments on each supported chain, enabling a systematic multi-chain drain within a short execution window.","heading":"Chains Affected","severity":"high","sources":[{"credibility":1,"name":"CrossCurve bridge exploited for approximately $3 million across multiple chains — The Block","type":"news_article","url":"https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages"},{"credibility":2,"name":"CrossCurve Bridge Exploit Drains About $3M — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/crosscurve-bridge-exploit-3m-cross-chain-risk-hack/"}]},{"content":"CrossCurve CEO Boris Povar responded publicly on X (Twitter), urging users to halt all activity with the protocol. The team activated a war room in coordination with security firm MixBytes to investigate the root cause. Within hours, the team identified ten Ethereum addresses linked to the exploit and published them publicly. CrossCurve invoked its SafeHarbor WhiteHat policy, initially offering the attacker a 10% retention bounty (keep 10% of stolen funds, return 90% within 72 hours of block 24,364,392). The ultimatum was later escalated with an offer of 20% retention in an attempt to incentivize cooperation. The team warned that failure to make contact or return funds would result in criminal referrals, civil litigation, coordination with centralized exchanges and stablecoin issuers to freeze assets, and engagement of blockchain analytics firms Chainalysis and TRM Labs. No response from the attacker was publicly reported, and no funds have been confirmed recovered. The protocol paused its router contracts and bridge operations pending remediation.","heading":"Team Response and Recovery Attempts","severity":"high","sources":[{"credibility":1,"name":"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit — Decrypt","type":"news_article","url":"https://decrypt.co/356599/crosscurve-legal-action-3m-cross-chain-bridge-exploit"},{"credibility":2,"name":"CrossCurve cross-chain bridge exploit leads to $3 million loss and 10% bounty offer — BingX","type":"news_article","url":"https://bingx.com/en/news/post/crosscurve-cross-chain-bridge-exploit-leads-to-million-loss-and-bounty-offer"},{"credibility":2,"name":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"credibility":2,"name":"CrossCurve Threatens Legal Action — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/crosscurve-threatens-legal-action-3m-054416969.html"}]},{"content":"Following the February 2026 exploit of its Axelar-based bridge contracts, CrossCurve engaged Hashlock to conduct a security audit of its LayerZero-based OFT (Omnichain Fungible Token) messaging contracts — a separate component of its cross-chain infrastructure. The Hashlock audit was finalized in March 2026 and covered five contracts: CrossCurveCore.sol, OFTAdapter.sol, MintBurnOFTAdapter.sol, CrossCurveOFTStorage.sol, and OptionsReader.sol. Hashlock identified one medium-severity and three low-severity findings, all of which CrossCurve resolved prior to the final report. Hashlock awarded the audited contracts a 'Secure' rating. This audit addressed the LayerZero messaging layer only; the status of the Axelar-based PortalV2 contracts that were exploited was not confirmed as separately re-audited in available sources. MixBytes had previously conducted three audits of CrossCurve's bridge contracts prior to the exploit; the specific scope and findings of those audits are not detailed in available public sources.","heading":"Post-Exploit Security Remediation","severity":"medium","sources":[{"credibility":2,"name":"CrossCurve Reinforces Cross-Chain Security with Hashlock Audit of OFT Messaging Layer — TheCryptoUpdates","type":"news_article","url":"https://www.thecryptoupdates.com/crosscurve-reinforces-cross-chain-security-with-hashlock-audit-of-oft-messaging-layer/"},{"credibility":2,"name":"CrossCurve Reinforces Cross-Chain Security with Hashlock Audit — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1028361"}]},{"content":"The CrossCurve exploit occurred as part of a documented cluster of cross-chain bridge attacks in early-to-mid February 2026. The IoTeX ioTube bridge was exploited on February 21–22, 2026 for approximately $4.3–4.4 million via a compromised validator owner private key on the Ethereum side — a distinct operational security failure rather than a smart contract logic flaw. Hyperbridge also suffered a reported $2.5 million exploit during the same period. PeckShield data through mid-May 2026 documented eight significant bridge-related incidents in 2026 with cumulative losses of approximately $328–329 million. The February 2026 attacks collectively highlight ongoing systemic risks in cross-chain interoperability protocols, specifically in message validation and access control patterns when integrating third-party bridging SDKs.","heading":"Broader February 2026 Bridge Attack Wave","severity":"medium","sources":[{"credibility":1,"name":"IoTeX bridge exploit raises debate over losses and recovery prospects — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/02/23/iotex-bridge-exploit-sparks-debate-over-losses-and-recovery-prospects"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"},{"credibility":2,"name":"Explained: The IoTeX Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-iotex-hack-february-2026"}]},{"content":"MixBytes conducted three audits of CrossCurve's bridge contracts prior to the February 2026 exploit. The specific scope, findings, and dates of those audits are not detailed in publicly available post-mortem sources. The exploit itself was not a novel or obscure vulnerability class: the risk of inheriting AxelarExpressExecutable's expressExecute() without access controls is noted as a known dangerous pattern in Axelar SDK documentation. Cantina's post-mortem framed the failure explicitly as an integration blunder. The unprotected function and consensus threshold of 1 on certain sourceChains suggest implementation-level oversights that prior audits either did not cover in scope or did not flag sufficiently. The February exploit exposed a gap between the protocol's stated security model (multi-guardian consensus bridge) and its actual on-chain configuration for specific chain routes.","heading":"Prior Audit History and Security Posture","severity":"high","sources":[{"credibility":2,"name":"CrossCurve Bridge Hack: An Integration Blunder — Cantina","type":"research","url":"https://cantina.xyz/blog/crosscurve-bridge-hack-axelar-expressexecute"},{"credibility":2,"name":"CrossCurve $1.4M Exploit: What Went Wrong? — QuillAudits Medium","type":"research","url":"https://quillaudits.medium.com/crosscurve-1-4m-exploit-c2ef752c4e84"}]}],"sources_used":[{"credibility":2,"name":"Explained: The CrossCurve Hack (February 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-crosscurve-hack-february-2026"},{"credibility":1,"name":"CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages — The Block","type":"news_article","url":"https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages"},{"credibility":2,"name":"CrossCurve Bridge Exploit Drains About $3M, Rekindling Cross-Chain Risk — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/crosscurve-bridge-exploit-3m-cross-chain-risk-hack/"},{"credibility":2,"name":"$3 Million Reportedly Lost in CrossCurve Bridge Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/crosscurve-bridge-exploit-loss/"},{"credibility":1,"name":"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit — Decrypt","type":"news_article","url":"https://decrypt.co/356599/crosscurve-legal-action-3m-cross-chain-bridge-exploit"},{"credibility":2,"name":"CrossCurve Threatens Legal Action — Yahoo Finance / Decrypt","type":"news_article","url":"https://finance.yahoo.com/news/crosscurve-threatens-legal-action-3m-054416969.html"},{"credibility":2,"name":"CrossCurve Bridge Hack: An Integration Blunder — Cantina","type":"research","url":"https://cantina.xyz/blog/crosscurve-bridge-hack-axelar-expressexecute"},{"credibility":2,"name":"CrossCurve Exploit Post-Mortem: $1.4M Lost to a Missing Access Control Check — Olympix","type":"research","url":"https://olympixai.medium.com/crosscurve-exploit-post-mortem-1-4m-lost-to-a-missing-access-control-check-c128e0aeb360"},{"credibility":2,"name":"Cross Curve $1.4M Implementation Bug [Explained] — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/cross-curve-exploit"},{"credibility":2,"name":"CrossCurve $1.4M Exploit: What Went Wrong? — QuillAudits Medium","type":"research","url":"https://quillaudits.medium.com/crosscurve-1-4m-exploit-c2ef752c4e84"},{"credibility":2,"name":"EYWA PortalV2 Axelar Exploit Analysis — DarkNavy","type":"research","url":"https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/"},{"credibility":2,"name":"CrossCurve's $3M Bridge Exploit: How One Missing Validation Check Drained a Multi-Chain Protocol — BlockEden.xyz","type":"research","url":"https://blockeden.xyz/blog/2026/03/16/crosscurve-3m-bridge-exploit-axelar-gateway-fabricated-cross-chain-messages/"},{"credibility":2,"name":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"credibility":2,"name":"CrossCurve cross-chain bridge exploit leads to $3 million loss and 10% bounty offer — BingX","type":"news_article","url":"https://bingx.com/en/news/post/crosscurve-cross-chain-bridge-exploit-leads-to-million-loss-and-bounty-offer"},{"credibility":1,"name":"IoTeX bridge exploit raises debate over losses and recovery prospects — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/02/23/iotex-bridge-exploit-sparks-debate-over-losses-and-recovery-prospects"},{"credibility":2,"name":"IoTeX Confirms $4.3M ioTube Bridge Breach — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/02/22/iotex-confirms-4-3m-iotube-bridge-breach-validator-key-compromised/"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations Drive Over $750 Million in Losses — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"},{"credibility":2,"name":"CrossCurve Reinforces Cross-Chain Security with Hashlock Audit of OFT Messaging Layer — TheCryptoUpdates","type":"news_article","url":"https://www.thecryptoupdates.com/crosscurve-reinforces-cross-chain-security-with-hashlock-audit-of-oft-messaging-layer/"},{"credibility":2,"name":"CrossCurve Reinforces Cross-Chain Security with Hashlock Audit — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1028361"},{"credibility":2,"name":"Top VCs Join EYWA's Seed Round Led by Curve's Founder — The Defiant","type":"news_article","url":"https://thedefiant.io/news/press-releases/top-vcs-join-eywas-seed-round-led-by-curves-founder"},{"credibility":2,"name":"CrossCurve Metelayer — Crunchbase Company Profile","type":"other","url":"https://www.crunchbase.com/organization/eywa-e9b6"},{"credibility":2,"name":"CrossCurve MetaLayer Documentation","type":"official","url":"https://docs.crosscurve.fi/"},{"credibility":2,"name":"EYWA/CrossCurve Tokenomics Documentation","type":"official","url":"https://docs.eywa.fi/eywa-token/tokenomics-eywa-crosscurve"},{"credibility":2,"name":"CrossCurve Confirms Active Bridge Exploit Across Multiple Networks — NullTX","type":"news_article","url":"https://nulltx.com/crosscurve-confirms-active-bridge-exploit-across-multiple-networks/"}],"summary":"On February 1, 2026, CrossCurve — a cross-chain DEX and bridge protocol operating under the EYWA brand — suffered a critical exploit of its ReceiverAxelar bridge contract via a missing Axelar Gateway validation check. Approximately $1.4 million in liquid assets were confirmed stolen, while the total PortalV2 contract balance drained was approximately $3 million (including largely illiquid EYWA tokens). No funds were recovered as of the investigation date.","timeline":[{"date":"2020-12-01","event":"EYWA Protocol founded.","source":"MEXC Crypto Pulse — The Origin and Evolution of EYWA","source_url":"https://www.mexc.co/crypto-pulse/article/the-origin-and-evolution-of-eywa-424"},{"date":"2023-09-01","event":"Curve Finance founder Michael Egorov joins EYWA as a backer in its seed round alongside Fenbushi Capital and GBV Capital. Total fundraising reported at $7–8.5 million.","source":"The Defiant — Top VCs Join EYWA's Seed Round Led by Curve's Founder","source_url":"https://thedefiant.io/news/press-releases/top-vcs-join-eywas-seed-round-led-by-curves-founder"},{"date":"2026-01-31","event":"Attacker identifies the unprotected expressExecute() function in CrossCurve's ReceiverAxelar contract and begins probing the vulnerability.","source":"CrossCurve's $3M Bridge Exploit — BlockEden.xyz","source_url":"https://blockeden.xyz/blog/2026/03/16/crosscurve-3m-bridge-exploit-axelar-gateway-fabricated-cross-chain-messages/"},{"date":"2026-02-01","event":"At 18:38:23 UTC, the primary exploit transaction executes on Ethereum (block 24,363,854), draining the PortalV2 contract of approximately 999.8 million EYWA tokens via a spoofed Berachain cross-chain message. Subsequent transactions target Arbitrum and other supported chains, extracting liquid assets including USDT.","source":"EYWA PortalV2 Axelar Exploit Analysis — DarkNavy","source_url":"https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/"},{"date":"2026-02-01","event":"Stolen Arbitrum assets converted to WETH via CoW Protocol and bridged to Ethereum through Across Protocol. EYWA tokens remain in attacker's primary wallet, illiquid.","source":"CrossCurve Bridge Hack: An Integration Blunder — Cantina","source_url":"https://cantina.xyz/blog/crosscurve-bridge-hack-axelar-expressexecute"},{"date":"2026-02-01","event":"CrossCurve CEO Boris Povar publicly confirms the exploit, urges all users to halt protocol activity, and activates a war room with MixBytes. Ten Ethereum addresses linked to the hack are publicly identified.","source":"CrossCurve Bridge Suffers $3M Exploit Across Multiple Chains — BanklessTimes","source_url":"https://www.banklesstimes.com/articles/2026/02/02/crosscurve-bridge-suffers-3m-exploit-across-multiple-chains/"},{"date":"2026-02-02","event":"CrossCurve issues 72-hour ultimatum under SafeHarbor WhiteHat policy: return 90% of funds (retain 10% bounty) or face criminal referrals, civil litigation, and exchange-level asset freezes coordinated via Chainalysis and TRM Labs. Deadline counted from block 24,364,392.","source":"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit — Decrypt","source_url":"https://decrypt.co/356599/crosscurve-legal-action-3m-cross-chain-bridge-exploit"},{"date":"2026-02-05","event":"CrossCurve escalates bounty offer to 20% in an attempt to incentivize attacker cooperation. No response from attacker is publicly reported.","source":"CrossCurve $1.4M Exploit: What Went Wrong? — QuillAudits Medium","source_url":"https://quillaudits.medium.com/crosscurve-1-4m-exploit-c2ef752c4e84"},{"date":"2026-02-21","event":"IoTeX ioTube bridge exploited for approximately $4.3–4.4 million via compromised validator private key, representing a separate February 2026 bridge attack.","source":"IoTeX Confirms $4.3M ioTube Bridge Breach — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/02/22/iotex-confirms-4-3m-iotube-bridge-breach-validator-key-compromised/"},{"date":"2026-03-01","event":"CrossCurve completes Hashlock audit of its LayerZero OFT messaging contracts. One medium and three low-severity findings identified and resolved. Contracts awarded a 'Secure' rating.","source":"CrossCurve Reinforces Cross-Chain Security with Hashlock Audit — TheCryptoUpdates","source_url":"https://www.thecryptoupdates.com/crosscurve-reinforces-cross-chain-security-with-hashlock-audit-of-oft-messaging-layer/"}]},"v":1}