CrossCurve Security Breach Leads to $3M Crypto Loss

Crypto protocol CrossCurve has suffered a major security breach after its cross-chain bridge was exploited, resulting in an estimated $3 million loss across multiple blockchain networks. The team has urged users to immediately pause interactions with the protocol as investigations continue.

The incident adds to growing concerns around DeFi bridge security, which remains one of the most targeted attack vectors in the crypto industry.

CrossCurve Confirms Attack

CrossCurve confirmed the breach in a post on X (formerly Twitter) late Sunday, stating that its cross-chain bridge was actively “under attack.” According to the team, the exploit involved a vulnerability in one of the smart contracts responsible for cross-chain message execution.

“Please pause all interactions with CrossCurve while the investigation is ongoing,” the protocol warned users.

The team has not yet disclosed the full scope of affected assets but acknowledged that the attack spanned several blockchain networks, making containment more complex.

$3M Reportedly Stolen

Blockchain security researchers quickly weighed in on the incident. Defimon Alerts, an X account associated with security firm Decurity, reported that attackers exploited CrossCurve for approximately $3 million.

According to Defimon Alerts, the vulnerability allowed malicious actors to spoof cross-chain messages, bypassing critical validation checks.

CrossCurve @crosscurvefi (ex https://t.co/4HJ33uOZUS) has been exploited for around 3 million on several networks.

Anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2.… pic.twitter.com/EfYe3Tfo9v

— Defimon Alerts (@DefimonAlerts) February 1, 2026

“One of CrossCurve’s smart contracts allowed anyone to call expressExecute on the ReceiverAxelar contract with a spoofed message, bypassing gateway validation and unlocking tokens,” the account said.

This exploit reportedly triggered unauthorized unlocks on PortalV2, enabling attackers to drain funds without legitimate cross-chain verification.

Smart Contract Flaw

The breach highlights a recurring issue in cross-chain infrastructure: message validation. Cross-chain bridges rely on trusted gateways and validators to confirm transactions between networks. If this process is compromised, attackers can manipulate messages to release funds.

In CrossCurve’s case, the flaw allowed attackers to impersonate legitimate cross-chain calls, effectively tricking the protocol into unlocking tokens.

Security experts have long warned that bridge smart contracts are among the most complex and risky components in DeFi, with even minor oversights leading to catastrophic losses.

Curve Finance Response

Curve Finance, a major DeFi protocol and partner of CrossCurve, also addressed the situation. In a statement posted on X, Curve advised users who had allocated votes or liquidity to CrossCurve pools to review their exposure.

In light of the recent security incident involving https://t.co/3Wv3pEhCu8 (== CrossCurve):

Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes. We continue to encourage all participants to remain vigilant and… https://t.co/chd5YBOXhr

— Curve Finance (@CurveFinance) February 1, 2026

“Users may wish to review their positions and consider removing those votes,” Curve said.

The protocol emphasized the importance of risk-aware decision-making when interacting with third-party DeFi projects, especially during active security incidents.

10% Bounty Offered

In an effort to recover stolen funds, CrossCurve CEO Boris Povar publicly shared wallet addresses believed to have received tokens from the exploit. He appealed directly to the attacker, offering a 10% bounty if the funds were returned within 72 hours.

“These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part,” Povar said, adding that there was no immediate indication of malicious intent.

The message reflects a growing trend in DeFi, where protocols attempt negotiated recoveries before escalating incidents to legal authorities.

Legal Action Warning

Povar made it clear that the offer was time-sensitive. If no response or return of funds occurs within the 72-hour window, CrossCurve plans to treat the incident as a criminal matter.

“If the funds are not returned or no contact is established, we will assume malicious intent,” he said.

CrossCurve is prepared to cooperate with law enforcement, pursue civil litigation, and coordinate with other crypto projects and centralized platforms to freeze assets linked to the exploit.

Rising DeFi Risks

The CrossCurve breach follows a series of high-profile DeFi attacks in recent months, including the Step Finance treasury breach, where $27 million in SOL was drained and the STEP token crashed nearly 90%.

These incidents underscore the ongoing security challenges facing decentralized finance, particularly in cross-chain environments where complexity increases the attack surface.

For users, the event serves as another reminder to diversify risk, monitor protocol updates closely, and avoid interacting with platforms during unresolved security incidents.