Skip to main content
2 min read

CrossCurve Bridge Exploited via Smart
Contract Vulnerability, $3 Million in Assets Stolen

On January 31, 2026, the CrossCurve cross-chain protocol was exploited for $3 million due to a smart contract validation vulnerability. The team has suspended interactions. The vulnerability is noted to be similar to the 2022 Nomad Bridge exploit.

AUTOSEC.DEVAUTOSEC.DEV
CrossCurve Bridge Exploited via Smart Contract Vulnerability, $3 Million in Assets Stolen
  • Exploit Date: February 1, 2026
  • Target Project: CrossCurve
  • Project Overview: CrossCurve is a Web3 cross-chain liquidity protocol and bridge platform.
  • Loss Amount: $3,000,000
  • Attack Vector: Smart Contract Vulnerability (Message Spoofing)

Incident Review & Technical Details

  1. Attack Path: The ReceiverAxelar contract in CrossCurve lacked proper gateway verification checks. This allowed the attacker to spoof cross-chain messages and call the expressExecute function within the contract. By bypassing the intended gateway validation logic, the attacker triggered the PortalV2 contract to perform unauthorised token unlocking operations.
  2. Impact: The attack spanned multiple blockchain networks, resulting in the PortalV2 contract balance dropping from approximately $3 million to near zero, effectively draining the core bridge liquidity.
  3. Official Assessment: The root cause was a validation logic vulnerability at the smart contract layer. This exploit pattern bears a high resemblance to the 2022 Nomad Bridge exploit, which resulted in a $190 million loss.
  4. Investigation Progress: The project team has issued an emergency announcement suspending all interactions with the CrossCurve protocol. Security firms have identified the attacker's addresses and are tracking the on-chain flow of funds. Curve Finance has simultaneously advised users to verify their staking positions and implement risk management measures.

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

  1. Team OPSEC (Operations Security) Audit & Hardening: We offer enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
  2. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

Reference

https://www.theblock.co/post/387939/crosscurve-bridge-exploited-for-approximately-3-million-across-multiple-chains-via-spoofed-messages