CrossCurve's $3 million cross-chain bridge attack: How to bypass security verification through false information

On Sunday, DeFi project CrossCurve (formerly EYWA) experienced a major security incident. The project’s team discovered a critical vulnerability in its cross-chain asset transfer mechanism, resulting in approximately $3 million worth of funds being illegally misappropriated. According to investigations by security firms such as BlockSec, this incident once again exposes the systemic risks present in current cross-chain bridge security.

The CrossCurve team subsequently locked ten Ethereum wallet addresses that received the stolen assets. In a statement, CrossCurve CEO Борис Повар stated that preliminary evidence does not indicate the recipients intentionally participated in malicious activities, but the team has set a 72-hour deadline. If the funds are not returned or the recipients do not contact them, CrossCurve will escalate its response—including reporting to law enforcement, freezing exchange assets, publicly disclosing wallet information, and collaborating with on-chain analysis firms to trace the flow of funds.

Attack Method Breakdown: How Forged Cross-Chain Messages Bypass Verification

The core technical aspect of this attack involves bypassing verification procedures. The attacker successfully sent forged cross-chain communication messages to CrossCurve’s smart contract. These false instructions should have been recognized and rejected by the system, but due to inadequate validation logic, the contract mistakenly treated the deceptive data as legitimate commands, leading to unauthorized fund withdrawals.

BlockSec’s analysis report points out that the root cause lies in “serious deficiencies in the verification mechanism.” Cross-chain messages require authentication before execution, but in CrossCurve’s architecture, these essential checks were not properly implemented, allowing the contract to accept and process unverified data.

Losses Across Multiple Chains and Fund Distribution

Regarding the scale of losses, industry estimates vary. Defimons (a security monitoring account operated by Decurity) estimates total losses at around $3 million across multiple blockchain networks. BlockSec provides a more detailed distribution: approximately $1.3 million lost on Ethereum, about $1.28 million on Arbitrum, with roughly $180,000 spread across emerging chains such as Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.

CrossCurve has not yet issued an official total loss figure nor responded to the estimates from security firms. This inconsistency highlights the ongoing challenge of accurately quantifying cross-chain losses within the ecosystem.

Fundamental Vulnerability: The Deadly Weakness of Single Validation Points

Dani Dadybayo, Head of Research and Strategy at Unstoppable Wallet, provided a deeper technical analysis of the incident. He pointed out that the issue does not lie with the Axelar cross-chain protocol itself, which is sound, but rather with CrossCurve’s custom ReceiverAxelar contract. This tailored message receiver failed to implement sufficient identity verification during cross-chain communication.

Dadybayo emphasized that the key challenge in cross-chain bridge security is not just the message transmission layer but ensuring that no execution path can bypass authentication checks. If any alternative execution route can circumvent this safeguard, the entire trust model collapses.

He cited the 2022 Nomad bridge attack as an example: in that incident, attackers exploited verification flaws to cause nearly $190 million in losses. This demonstrates that similar attack techniques have appeared in the industry before, yet some projects continue to repeat these fundamental mistakes when designing contracts.

Industry Challenges in Cross-Chain Security and Lessons for Defense

The consensus in the industry is that the core issues with current cross-chain bridges stem from their centralized liquidity structures and siloed validation logic. As long as bridge projects delegate trust to a single validation process, any flaw in that process can render the entire system vulnerable.

For users, recommended protective measures include:

• Exercising caution with cross-chain operations, especially for newly launched or less-known bridges
• Reviewing security audit reports before use, prioritizing products audited by reputable security firms
• Diversifying risk by avoiding transferring large amounts of funds through a single bridge at once
• Monitoring real-time risk alerts from security monitoring platforms related to the project

The CrossCurve incident underscores that even within seemingly mature DeFi ecosystems, security gaps remain exploitable. The rise of cross-chain technology promotes multi-chain collaboration but also creates new opportunities for attackers. Only through stricter design standards, comprehensive security audits, and transparent risk disclosures can the security vulnerabilities of the cross-chain ecosystem be gradually mitigated.