Threat Management, Vulnerability Management

CrossCurve bridge loses $3 million in smart contract exploit

As detailed in The Cyber Express, the decentralized finance protocol CrossCurve, formerly known as EYWA, has experienced a significant cyberattack. Attackers successfully exploited a vulnerability within its smart contract infrastructure, leading to the draining of approximately $3 million across several blockchain networks.

The incident occurred when attackers leveraged a flaw in CrossCurve's ReceiverAxelar contract, which lacked a crucial validation check. This allowed them to bypass gateway validation and execute an unauthorized expressExecute function with spoofed cross-chain messages. The exploit triggered unauthorized token unlocks on the PortalV2 contract, resulting in the loss of funds. Security analysis indicates the attack unfolded across multiple chains, not just one. The PortalV2 contract's balance reportedly dropped from around $3 million to near zero on January 31. CrossCurve, which utilizes a multi-validation bridge system involving Axelar, LayerZero, and its own EYWA Oracle Network, had previously highlighted its architecture as a security strength.

This attack on CrossCurve, which received early support from prominent figures like Curve Finance founder Michael Egorov, raises renewed concerns about the security of cross-chain bridges. Despite layered validation systems, a single smart contract vulnerability proved sufficient to compromise the protocol. The incident echoes past bridge hacks, such as the 2022 Nomad bridge exploit, underscoring the persistent risks in cross-chain communication and the need for enhanced security audits and user vigilance in the decentralized finance space.

Source: The Cyber Express

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds