The CrossCurve cross-chain bridge has suffered a security breach, prompting the protocol to warn users to suspend all interactions. The exploit, reportedly resulting in $3 million in losses across multiple networks, stemmed from a vulnerability in a smart contract that allowed unauthorized token unlocks. Partner Curve Finance advised users to review their positions.
The crypto bridge protocol CrossCurve has told users to pause interacting with its service while it investigates a smart contract breach. The protocol posted that its bridge was “under attack, involving the exploitation of a vulnerability in one of the smart contracts used.”
Blockchain security account Defimon Alerts reported the exploit resulted in losses of around $3 million on several networks. The account stated that a smart contract flaw allowed anyone to spoof a cross-chain message to bypass validation.
Specifically, Defimon Alerts stated that “anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2.” This mechanism permitted the unauthorized release of locked tokens.
Curve Finance, which has a partnership with CrossCurve, advised users who allocated to CrossCurve pools to review their positions. The post added, “We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects.”
