The decentralized finance protocol CrossCurve reported a significant exploit of its cross-chain bridge system, with security firms estimating losses around $3 million. The protocol’s CEO, Boris Povar, publicly identified ten Ethereum addresses linked to the incident and issued a 72-hour ultimatum for the return of funds, threatening legal and enforcement action.
Decentralized finance protocol CrossCurve disclosed an attacker exploited a vulnerability in a smart contract for its cross-chain bridge on Sunday. The protocol stated the flaw allowed the unauthorized transfer of user tokens.
CEO Boris Povar later said the team identified ten Ethereum addresses that received the wrongfully taken funds. Povar warned that if the funds are not returned within 72 hours, the team would escalate the matter as a judicial issue involving criminal referrals and litigation.
Security firm Decurity provided an initial estimate of losses around $3 million across several networks. Another firm, BlockSec, estimated a total of roughly $2.76 million was taken from chains including Ethereum and Arbitrum.
BlockSec analysts stated the exploit stemmed from a “lack of validation” in the receiving contract. “The cross‑chain messages that should have been validated were not verified, causing the destination‑chain contract to believe the message reflected a genuine transaction,” they explained.
Dan Dadybayo of Unstoppable Wallet noted this represented a receiver-side failure, not a flaw in the underlying messaging protocol. “The hard part of bridge security isn’t the messaging layer, it’s making sure nothing happens until authenticity is fully proven,” he stated.
