The cross-chain landscape continues to be a primary target for sophisticated exploits. Between January 31 and February 1, 2026, CrossCurve (formerly known as the EYWA Protocol), a cross-chain liquidity bridge developed in collaboration with Curve Finance, became the latest victim. The protocol suffered a critical bridge exploit resulting in the loss of approximately $1.44 million in liquid assets, while an additional 999 million EYWA tokens were minted but successfully frozen.
Unlike traditional smart contract “re-entrancy” or “flash loan” attacks, this incident was a failure of cross-chain message validation, highlighting the extreme risks associated with bridge integrations and decentralized gateway authentication.
The Exploit: Logic Failure & Spoofing
The exploit was rooted in a critical access control flaw within CrossCurve’s ReceiverAxelar contract. By exploiting a missing validation check in the expressExecute function, the attacker was able to bypass the protocol’s gateway authentication.
Essentially, the attacker “spoofed” (faked) cross-chain messages that the protocol accepted as legitimate commands. This allowed the malicious actor to trigger unauthorized token unlocks from the PortalV2 contract across multiple networks, including Ethereum and Arbitrum. While the total market value of stolen liquid assets reached ~$1.44M, the rapid response from the team and centralized exchanges prevented the liquidation of nearly a billion EYWA tokens.
Exploit Update
In our ongoing investigation into the exploit, we have identified an additional $140,762 of stolen funds via bot-driven attacks.
Below you can see the updated table, which now includes these additional details. We remain committed to keeping the community fully… pic.twitter.com/xUmvKK5vhG
— CrossCurve (@crosscurvefi) February 3, 2026
Incident Timeline (UTC)
The attack was a multi-day operation that began with quiet exploitation across secondary chains before moving to major liquidity pools.
| Date/Time | Event | Action Taken |
| Jan 31, 2026 | Initial Reconnaissance | Attacker begins quiet exploitation across multiple side-chains. |
| Feb 1, Midnight | Major Bridge Drain | Unauthorized token unlocks detected on Portal contracts. |
| Feb 2, 02:15 AM | Public Warning | CrossCurve issues an urgent security notice on X. |
| Feb 2, Morning | Protocol Lockdown | CrossCurve pauses all bridge interactions globally. |
| Feb 2, 10:22 PM | Official Disclosure | Detailed breakdown of stolen assets published. |
| Feb 3, 2026 | Ultimatum | A 72-hour deadline with a 10% bounty is issued. |
Technical Breakdown: The Mechanism of Spoofing
The vulnerability resided specifically in how CrossCurve processed messages from the Axelar network.
The Root Cause: ReceiverAxelar Contract
The ReceiverAxelar contract contained a function named expressExecute(). In a secure implementation, this function should verify that the message it receives is authenticated by a trusted cross-chain gateway.
The Failure Points:
-
Public Accessibility: The
expressExecute()function was publicly callable. -
Insufficient Authentication: The only significant check enforced was whether a
commandIdhad already been executed. -
CommandId Bypass: The attacker generated fresh, unused
commandIds. Since the contract only checked for “uniqueness” and not “authenticity,” the spoofed messages were processed. -
Low Threshold: The confirmation threshold was set to 1, effectively disabling multi-guardian validation.
Stolen Assets Breakdown
The following data represents the confirmed loss according to CrossCurve’s disclosure:
Liquid Assets (Total Value: ~$1,441,892.31)
-
USDT: 815,361.00
-
CRV: 239,889.64
-
WETH: 123.59
-
WBTC: 2.64
-
Other (USDC, USDB, frxUSD): ~$50,000.00
The “Frozen” Assets
The attacker also extracted 999,787,453 EYWA tokens to Ethereum. However, these are currently unusable because DEX pools are shallow, the bridge is paused, and exchanges like XT have frozen the hacker’s deposits.
Attacker Profiles & Fund Flow
The exploit was executed using a cluster of 10 identified wallets. The primary wallet was funded via the FixedFloat exchange.
-
Primary Wallet:
0x632400f42e96a5deb547a179ca46b02c22cd25cd -
Strategy: The attacker primarily exploited Arbitrum, swapped tokens for WETH via CoW Protocol, and bridged to Ethereum mainnet via Across Protocol.
Security Failures & Industry Lessons
This breach provides several critical takeaways for the DeFi community:
-
Trustless Bridges are not always “Trustless”: Gateway Validation must be strictly enforced.
-
Privileged Functions must be Restricted: Use
onlyGatewayoronlyRelayermodifiers. -
Guardian Thresholds: Setting a threshold of 1 is inherently risky.
-
Historical Context: While 2025 saw security improvements, the CrossCurve incident, much like the recent Step Finance hack, shows that operational and logic errors remain the industry’s Achilles’ heel. This event marks a rough start for February, following the wave of Crypto Hacks and Scams January 2026.
Current Status and Recovery
CrossCurve has offered a 10% bounty (~$144,000) for the return of the funds under a “SafeHarbor WhiteHat” agreement. Major exchanges (KuCoin, MEXC, BitMart) are monitoring the hacker’s addresses.
Securing the Cross-Chain Future
The CrossCurve exploit is a textbook example of how a small oversight in “Message Validation” can lead to a multi-million dollar loss. The industry must move toward mandatory multi-guardian thresholds and strict gateway verification to prevent “spoofing” from remaining a viable attack vector in 2026.
