Crypto Bridge Protocol CrossCurve Exploited for $3M
Update (February 2, 12:20 am UTC): This article has been updated to add a post by CrossCurve CEO Boris Povar.
As the cross-chain bridge of the crypto protocol CrossCurve was attacked, $3 million was allegedly stolen from several networks.
CrossCurve posted on X late Sunday that the bridge is “under attack involving the exploitation of a vulnerability in one of the smart contracts in use.”
“Please temporarily suspend all contact with CrossCurve while the investigation is conducted,” he added.
Defimon Alerts, an X account linked to blockchain security company DeCurity, said CrossCurve was exploited “across multiple networks” for around $3 million.
He added that one of CrossCurve's smart contracts allowed anyone to spoof messages to bypass authentication and unlock tokens.
“Anyone can call ExpressExpress on the ReceiverAxelar contract via an expedited cross-chain message, bypassing friendly path validation and triggering an unlock on PortalV2,” Defimon Alerts said.
In partnership with CrossCurve, Curve Finance wants users assigned to CrossCurve pools on X to “evaluate their position and consider removing those voices.”
“We continue to encourage all participants to remain vigilant and make informed decisions when dealing with third-party projects,” he added.
CrossCurve offers a 10% bonus if funds are returned within 72 hours
In an attempt to track down the attacker, CrossCurve CEO Boris Povar shared the 10 addresses he claimed to have received tokens from the exploit and offered a reward for returns within 72 hours.
“These tokens were mistakenly taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent,” he said. “We hope for your cooperation to return the money.”
Povar offered a bonus of up to 10% if the funds were returned within 72 hours of the attack.
RELATED: STEP Finance Treasuries Breached, STEP 90% Collapsing, $27m SOL Leaked
“If the funds are not returned or if there is no communication within 72 hours, we must assume malicious intent and treat this as a matter of justice,” he added.
Povar said CrossCurve is prepared to work with law enforcement, file civil lawsuits to recover damages, and coordinate with authorities and other crypto projects to freeze assets if funds are not recovered.
Magazine: Meet the onchain crypto detectives who fight crime better than the police
