CrossCurve has confirmed that its cross-chain bridge is under active attack after a missing validation check allowed spoofed cross-chain messages to pass through its system.
The vulnerability enabled attackers to drain funds directly from the protocol’s PortalV2 contract, with onchain data showing losses of roughly $3 million spread across multiple blockchain networks.
The team publicly acknowledged the exploit and urged users to immediately pause all interactions with the platform while emergency investigations continue.
CrossCurve, formerly known as EYWA, is a Curve-backed interoperability project supported by Curve founder Michael Egorov and previously raised approximately $7 million in funding.
The confirmation marks yet another reminder of how cross-chain bridges remain one of the most targeted and vulnerable components of DeFi infrastructure.
Exploit details: how many of which tokens were taken
As we continue the investigation into the exploit of our bridge, below is a detailed breakdown of the assets stolen.
Let’s start with $EYWA. Even though it was launched on Ethereum, our native token’s entire supply was moved… pic.twitter.com/OBDiJFv0mU
— CrossCurve (@crosscurvefi) February 2, 2026
Contents
Validation Flaw Lets Spoofed Messages Drain PortalV2 Funds
According to CrossCurve’s initial technical findings, the exploit originated from a missing validation check in the bridge’s message verification process.
This flaw allowed attackers to craft fraudulent cross-chain instructions that appeared legitimate to the protocol, enabling unauthorized withdrawals without triggering internal safeguards.
Once the spoofed messages passed through the system, the attacker systematically drained assets held within the PortalV2 contract across several connected networks.
Bridge exploits have become a dominant attack vector in crypto over the past two years, largely because they hold pooled liquidity designed to move assets between chains quickly, creating massive single points of failure.
In CrossCurve’s case, the exploit did not require breaching smart contract logic directly. Instead, it abused the messaging layer that coordinates asset movement across ecosystems.
The team has since frozen the exploited bridge and launched a full forensic review to understand exactly how the validation mechanism was bypassed.
Hacker Drains EYWA Tokens But Cannot Liquidate Them
One of the largest assets affected by the breach was EYWA, CrossCurve’s native token.
The attacker extracted 999,787,453.03 EYWA tokens onto the Ethereum network, but the team quickly clarified that these tokens are effectively trapped and cannot be sold or circulated.
Despite EYWA launching originally on Ethereum, its entire circulating supply was migrated to Arbitrum during the token generation event.
As a result:
• There are no DEX liquidity pools for EYWA on Ethereum
• The only centralized exchange that supported Ethereum-network EYWA froze deposits
• The exploited bridge has been frozen to block further movement
In practical terms, the stolen EYWA tokens now sit isolated on Ethereum with no route to exit, trade, or impact circulating supply.
CrossCurve emphasized that all EYWA held on Arbitrum remains fully safe, and users can continue swapping and trading normally on both decentralized and centralized exchanges.
To reinforce containment, the team also contacted major trading platforms, including KuCoin, Gate, MEXC, BingX, and BitMart, to ensure the attacker has zero opportunity to liquidate any stolen tokens.
Other Tokens Successfully Drained From The Bridge
While the EYWA portion of the exploit remains neutralized, the hacker did manage to successfully extract a range of other assets from the bridge infrastructure.
The stolen token volumes include:
3CRV, 2,578.22
USDT, 815,361
WETH, 123.59
CRV, 239,889.64
2CRV, 2,421.92
USDC, 34,820.73
WBTC, 2.64
USDB, 10,288.43
c(USD)CT, 4,199.24
frxUSD, 1,064.99
In market value terms, losses were split between:
• $110,194.49 from CrossCurve liquidity pools
• $1,331,697.82 from the Units blockchain
This brings the confirmed total to $1,441,892.31 in assets that were successfully removed and remain under attacker control.
While smaller than some recent bridge exploits, the breach still represents a major security incident for a growing interoperability protocol.
Exchanges Freeze Deposits As Investigation Intensifies
CrossCurve has moved aggressively to limit any potential downstream damage from the exploit.
Beyond freezing the compromised bridge, the team coordinated directly with centralized exchanges to ensure stolen assets cannot be deposited, swapped, or laundered through trading platforms.
This rapid response significantly reduces the attacker’s ability to realize profits, a tactic that has increasingly become standard practice in modern DeFi incident containment.
At the same time, CrossCurve has launched a full investigation to determine:
• The exact exploit pathway
• Whether additional vulnerabilities exist
• How to permanently harden validation mechanisms
• What long-term protocol upgrades are required
The team has also issued a 72-hour window for the attacker to initiate contact regarding a potential return of stolen funds, a common approach in DeFi incidents that sometimes results in partial or full recovery.
Meanwhile, blockchain forensic tracking is actively mapping associated wallets and transaction flows to identify the attacker’s broader network.
Another Warning Sign For Cross-Chain Bridge Security
The CrossCurve exploit adds to a growing list of bridge-focused attacks that continue to drain hundreds of millions from the crypto ecosystem each year.
While smart contract auditing has improved across DeFi, cross-chain messaging systems remain complex, fragmented, and difficult to fully secure, often involving offchain relayers, verification layers, and custom validation logic.
A single missing check, as seen in this incident, can expose massive pooled liquidity in seconds.
For protocols, this highlights the urgent need for:
• Formal verification of bridge logic
• Redundant validation systems
• Time delays on large cross-chain transfers
• Continuous real-time monitoring
• Segmented liquidity instead of single pools
For users, it reinforces that bridges remain among the highest-risk components of decentralized infrastructure, even when backed by experienced teams and major industry figures.
Although CrossCurve acted quickly to contain damage and protect user funds, the exploit underscores how fragile interoperability layers can be when even small implementation flaws exist.
As cross-chain activity continues to grow, security around validation mechanisms will likely become one of the most critical battlegrounds in DeFi’s next evolution.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
