DeFi Protocol CrossCurve Smart Contract Exploited, Suffers $3M Loss Across Multiple Chains

Cross-chain bridge CrossCurve announced Monday that it has suffered a major attack, losing $3 million across multiple networks.

The DeFi protocol noted that a vulnerability in its smart contracts had been exploited, raising security concerns about cross-chain infrastructure.

“Our bridge is currently under attack,” it wrote on X, warning users to suspend all interactions with CrossCurve.

⚠️ URGENT Security Notice

Dear users,

Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.

Please pause all interactions with CrossCurve while the investigation is ongoing.

We appreciate your patience and… pic.twitter.com/yfo1KvWoDd

— CrossCurve (@crosscurvefi) February 1, 2026

Smart Contract Flaw: Attackers Used Spoof Messages

Per CrossCurve post, some user addresses received token funds due to the smart contract vulnerability that were “wrongfully taken” from other users.

“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” the platform wrote, identifying a total of 10 addresses.

According to blockchain security account Defimon Alerts, a vulnerable CrossCurve’s smart contracts ReceiverAxelar, allowed anyone to spoof cross-chain message, bypassing the gateway validation. This has triggered unauthorized token unlocks on PortalV2 contract.

CrossCurve @crosscurvefi (ex https://t.co/4HJ33uOZUS) has been exploited for around 3 million on several networks.

Anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2.… pic.twitter.com/EfYe3Tfo9v

— Defimon Alerts (@DefimonAlerts) February 1, 2026

Besides, Curve Finance wrote that users who have allocated votes to the platform-related pools “may wish to review their positions and consider removing those votes.”

The protocol is backed by Curve Finance founder Michael Egorov and raised $7 million from VCs in 2023.

CrossCurve Offers 10% White Hat Bounty, Sets 72-Hour Limit

Per the Safe Harbor Responsible Disclosure Policy, which details the steps to implement responsible reporting of security vulnerabilities, if a white-hat hacker assists in fund recovery, a 10% bounty will be provided.

“This makes you eligible to keep up to 10% if the remainder is returned,” the project team noted.

Besides, CrossCurve has set a 72-hour limit for hackers to return the funds. If no effective communication is established, the project team will take immediate escalation.

This includes formal criminal and civil proceedings, collaborating with exchanges such as Coinbase and Binance, stablecoin issuers, law enforcements and on-chain analytics firms, including Chainalysis, TRM Labs and Elliptic.

CrossCurve hack is similar to Nomad’s $190 million bridge exploit in 2022, which saw an estimated 8000 Solana wallets compromised.

“In terms of prevention, an industry set of standard smart contract templates that are known to be secure, smart contract auditing and secure software development lifecycles would be steps in the right direction,” Andrew Morfill, Chief Information Security Officer at Komainu, told Cryptonews. “As the market matures, securely developed and updated protocols with real utility will provide the credibility and security assurance investors are looking for.”