Key Takeaways
- CrossCurve’s cross-chain bridge was hit for approximately $3 million across several networks due to a critical vulnerability.
- The attacker bypassed validation by spoofing messages within the ReceiverAxelar contract to unlock tokens on the PortalV2.
- CEO Boris Povar has offered a 10% white-hat bounty for the return of funds, threatening legal action if not resolved within 72 hours.
CrossCurve Offers 10% Bounty if Funds Returned in 72 Hours
The DeFi community was dealt a sobering reminder of bridge vulnerabilities this week as CrossCurve fell victim to a sophisticated smart contract exploit. The attack, which drained roughly $3 million, targeted a flaw in the protocol’s communication layer. Security analysts from Defimon Alerts noted that the attacker was able to call the expressExecute function with a spoofed message. This maneuver effectively “tricked” the system into bypassing standard gateway validation, allowing for the unauthorized unlocking of tokens.
As soon as the exploit hit, the CrossCurve team went into crisis mode, pleading with users to stop using the protocol. Their partners over at Curve Finance backed them up, telling LPs to keep a close eye on their stakes and maybe even yank their votes from CrossCurve pools for now. It’s the same old story with cross-chain bridges—one tiny flaw in a side contract is all it takes to put everything at risk across a dozen different chains.
Now, CEO Boris Povar is trying to play ball with the hacker. He called out 10 addresses involved and essentially offered a peace treaty. Calling the whole thing a possible “oversight” rather than a malicious hit, he’s dangling a $300,000 reward (that’s 10% of the loot) if the money comes back to the treasury in the next three days.
But don’t mistake the kindness for weakness—Povar warned that if they don’t see the funds by the 72-hour mark, they’re bringing in the police and filing lawsuits to lock those assets down everywhere.
Final Thoughts
While the 72-hour clock is ticking, the CrossCurve exploit serves as a stark warning for the bridging sector. Security must remain the priority over speed in the race for cross-chain liquidity.
Frequently Asked Questions
How was CrossCurve exploited?
An attacker used spoofed messages to bypass validation in the ReceiverAxelar contract, unlocking $3 million in tokens.
What should CrossCurve users do?
Users are advised to pause all interactions with the protocol and review any positions in related Curve Finance pools.
Will the hacker return the money?
The CEO has offered a 10% bounty for the return of funds within 72 hours; otherwise, law enforcement will be involved.
