Multichain bridge CrossCurve announced Monday that it suffered a major attack, losing $3 million across multiple networks.
The DeFi protocol indicated that a vulnerability in its smart contracts had been exploited, raising security concerns regarding its multi-chain infrastructure.
“Our bridge is currently under attack,” he wrote on Platform X, warning users to suspend all interactions with Cross Curve.
Urgent safety notice
Dear user,
Our bridge is currently under attack involving the exploitation of a vulnerability in one of the smart contracts used.
Please suspend all interactions with Cross Curve while the investigation continues.
We thank you for your patience and cooperation… pic.twitter.com/yfo1KvWoDd
-CrossCurve (@crosscurvefi) February 1, 2026
Smart contract vulnerability: attackers used spoofed messages
According to Cross Curve’s post, some user addresses received funds from tokens due to a smart contract vulnerability that was unfairly taken over by other users.
“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” the platform wrote, referring to a total of 10 addresses.
According to blockchain security account Devimon Alerts, the vulnerable future cross-curve smart contract Akslar allowed anyone to forge a cross-chain message, bypassing gateway verification. This resulted in unauthorized unlocking of tokens on Portal V2 nodes.
Cross curve exploited @crosscurvefi (formerly known as) for around $3 million across multiple networks.
Anyone can call expressExecute on ReceiverAxelar nodes using a fake cross-chain message, bypassing portal verification and allowing the token to be opened on PortalV2.… pic.twitter.com/EfYe3Tfo9v
– Defimon Alerts (@DefimonAlerts) February 1, 2026
Additionally, Curve Finance wrote that users who assigned their votes to pools associated with the platform “may wish to review their positions and consider deleting those votes.”
The protocol is backed by Curve Finance founder Michael Egorov and received $7 million in venture funding in 2023.
Cross Curve offers 10% bounty to ethical hackers and sets a 72-hour deadline
According to the Responsible Vulnerability Disclosure Policy, which outlines the steps to implement responsible vulnerability reporting, if an ethical hacker helps recover funds, a 10% reward will be offered.
“This allows you to keep up to 10% if the rest is returned,” the project team noted.
Additionally, Cross Curve set a 72-hour deadline for hackers to return the funds. If effective communication is not established, the project team will immediately take necessary action.
This includes formal criminal and civil proceedings and cooperation with trading platforms such as Coinbase and Binance, stablecoin issuers, law enforcement and blockchain analysis companies including Chainalysis, TRM Labs and Elliptic.
The Cross Curve hack is similar to the $190 million Nomad Bridge exploit in 2022, which saw around 8,000 Solana wallets compromised.
“In terms of prevention, a set of standard smart contract models known to be secure, smart contract auditing, and secure software development lifecycles would be steps in the right direction,” Andrew Morville, head of information security at Comino, told CryptoNews. “As the market matures, securely developed and maintained protocols that are truly useful will provide the credibility and security guarantees that investors are looking for.”
The post Smart contract for decentralized finance protocol CrossCurve was exploited, leading to a $3 million loss across multiple chains appeared first on Cryptonews Arabic.
