The cross-chain liquidity protocol CrossCurve was attacked due to a smart contract vulnerability, resulting in a theft of approximately 3 million dollars

According to The Block, the cross-chain liquidity protocol CrossCurve (formerly known as EYWA) has confirmed that its cross-chain bridge protocol "is under attack" due to a vulnerability in its smart contract being exploited, resulting in approximately $3 million in funds being stolen across multiple networks. Blockchain security firm Defimon Alerts discovered that the attack vector was a gateway validation bypass vulnerability in CrossCurve's ReceiverAxelar contract.

Analysis shows that anyone can use a forged cross-chain message to call the contract's expressExecute function, thereby bypassing the expected gateway validation and triggering unauthorized token unlocks on the protocol's PortalV2 contract. The protocol is supported by Curve Finance founder Michael Egorov, who previously raised $7 million.