CrossCurve Bridge Loses $3 Million in Multi-Chain Exploit via Spoofed Messages

Reading Time: < 1 minute

Cross-chain liquidity protocol CrossCurve has confirmed an active attack on its bridge infrastructure. The project announced on Sunday that a vulnerability in its smart contracts was exploited for roughly $3 million across multiple networks.

“Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve stated on X. “Please pause all interactions with CrossCurve while the investigation is ongoing.”

Blockchain security account Defimon Alerts identified the attack method as a gateway validation bypass in CrossCurve’s ReceiverAxelar contract. Their analysis indicates an attacker could call the expressExecute function with a spoofed cross-chain message. This bypassed the intended gateway checks and triggered unauthorized token unlocks on the protocol’s PortalV2 contract.

This vulnerability echoes the $190 million Nomad bridge exploit from 2022, which resulted in a frenzy of over 300 wallet addresses attempting to drain funds. “I cannot believe nothing has changed in four years,” security expert Taylor Monahan told The Block in reference to this latest incident.