Cross-chain protocol CrossCurve (formerly EYWA) lost approximately $3 million between January 31 and February 1, 2026, after an attacker exploited a validation flaw in its ReceiverAxelar smart contract. The vulnerability allowed anyone to spoof cross-chain messages and trigger unauthorized withdrawals from the protocol’s liquidity pools.
Incident overview
| Attribute | Details |
|---|
| Protocol | CrossCurve (formerly EYWA) |
| Attack type | Message validation bypass |
| Total losses | ~$2.76-3 million |
| Attack dates | January 31 - February 1, 2026 |
| Vulnerable contract | ReceiverAxelar |
| Bridge status | Paused |
| Notable backer | Curve Finance founder Michael Egorov |
| Previous fundraising | $7 million from VCs |
The vulnerability
The ReceiverAxelar contract was designed to receive and process cross-chain messages routed through the Axelar network.
Root cause
| Issue | Description |
|---|
| Missing validation | Contract didn’t verify messages originated from Axelar gateway |
| Trusted function | expressExecute could be called directly with fabricated data |
| Format vs. origin | Contract checked message format but not message source |
| Downstream trust | PortalV2 trusted ReceiverAxelar’s forwarded messages |
“CrossCurve’s custom ReceiverAxelar contract executed cross-chain messages without sufficiently authenticating them first.”
— Blockchain security researcher Dadybayo
Gateway validation bypass
Blockchain security account Defimon Alerts identified the specific attack vector:
| Component | Flaw |
|---|
| expressExecute function | Could be called directly by anyone |
| Message spoofing | Fabricated cross-chain messages accepted |
| Gateway check | Missing verification of Axelar gateway origin |
| Token unlocks | Triggered without legitimate cross-chain request |
Attack execution
| Phase | Action |
|---|
| 1 | Attacker calls expressExecute with fabricated payload |
| 2 | Payload mimics legitimate cross-chain transfer request |
| 3 | ReceiverAxelar trusts the message and forwards to PortalV2 |
| 4 | PortalV2 releases tokens to attacker-controlled addresses |
| 5 | Attacker moves funds through DEXs and mixers |
Arkham Intelligence data shows the PortalV2 contract balance collapsed from roughly $3 million to nearly zero on January 31.
Losses by chain
BlockSec estimated total losses at approximately $2.76 million:
| Chain | Estimated Loss |
|---|
| Ethereum | ~$1.30 million |
| Arbitrum | ~$1.28 million |
| Optimism | Partial losses |
| Base | Partial losses |
| Mantle | Partial losses |
| Kava | Partial losses |
| Frax | Partial losses |
| Celo | Partial losses |
| Blast | Partial losses |
| Attribute | Details |
|---|
| Tokens extracted | 999,787,453.03 EYWA |
| Network | Ethereum |
| Status | Effectively trapped |
| Reason | Circulating supply migrated to Arbitrum |
The team clarified that the extracted EYWA tokens cannot be sold or circulated because the entire circulating supply was migrated to Arbitrum during the token generation event.
CrossCurve’s response
| Action | Details |
|---|
| Bridge paused | Operations halted immediately |
| Wallet identification | 10 Ethereum addresses identified |
| Investigation | Working with blockchain analytics firms |
| Fund freezing | Coordinating with exchanges to block assets |
CEO statement
CrossCurve CEO Boris Povar announced: “These tokens were wrongfully taken from users due to a smart contract exploit. If the funds are not returned or no contact is established within 72 hours, we will have to assume malicious intent and treat this as a judicial matter.”
White-hat bounty offer
| Term | Details |
|---|
| Bounty offered | 10% of remaining funds |
| Policy | SafeHarbor WhiteHat policy invoked |
| Deadline | 72 hours from block 24364392 |
| Warning | Legal action if no contact established |
Ecosystem warnings
Curve Finance issued a warning to its community: “Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes.”
Protocol background
| Attribute | Details |
|---|
| Previous name | EYWA |
| Notable investor | Michael Egorov (Curve Finance founder) |
| Investment date | September 2023 |
| VC funding | $7 million raised |
| Purpose | Cross-chain bridge infrastructure |
Historical context
Nomad bridge comparison
Security expert Taylor Monahan drew direct comparisons to the Nomad bridge hack:
| Incident | Date | Losses | Root cause |
|---|
| Nomad bridge | August 2022 | $190 million | Message validation failure |
| CrossCurve | February 2026 | $3 million | Message validation failure |
“I cannot believe nothing has changed in four years.”
— Taylor Monahan, analyzing the exploit’s similarities
Bridge exploit statistics
| Period | Losses |
|---|
| 2023-2025 | $2.5+ billion in bridge exploits |
| January 2026 | $370.3 million stolen (CertiK data) |
| January 2025 | ~$95 million |
| Increase | Nearly 4x year-over-year |
January 2026 was the highest monthly figure for crypto exploits in 11 months.
Common bridge vulnerability patterns
| Pattern | Description |
|---|
| Insufficient message validation | This attack |
| Signature verification flaws | Cryptographic bypass |
| Replay attacks across chains | Reusing valid messages |
| Oracle manipulation | Price feed attacks |
| Admin key compromise | Private key theft |
Lessons for bridge developers
Architecture requirements
| Requirement | Implementation |
|---|
| Message authentication | Verify origin, not just format |
| Gateway validation | Confirm messages come through legitimate infrastructure |
| Defense-in-depth | Multiple validation layers |
| Rate limiting | Cap withdrawal volumes per time window |
| Caller verification | Check msg.sender against trusted gateways |
Operational controls
| Control | Benefit |
|---|
| Multi-sig on large transfers | Human approval for significant movements |
| Timelocks | Window to detect and halt exploits |
| Circuit breakers | Automatic pause on anomalous activity |
| Security monitoring | Real-time alerting on unusual patterns |
Audit focus areas
| Area | Specific tests |
|---|
| Message handlers | Can they be called directly with spoofed data? |
| Trust boundaries | Where does the contract trust external input? |
| Gateway integration | Is the connection to the cross-chain network secure? |
| Authorization checks | Who can trigger fund movements? |
| Caller validation | Does the contract verify msg.sender? |
Technical recommendations
For bridge protocols
| Priority | Action |
|---|
| Critical | Validate message origin, not just format |
| Critical | Implement caller verification on sensitive functions |
| Critical | Implement rate limiting on withdrawals |
| High | Add multi-sig or timelocks for large transfers |
| High | Conduct specialized bridge security audits |
| Ongoing | Monitor for exploitation patterns |
For DeFi users
| Priority | Action |
|---|
| High | Limit exposure to any single bridge |
| High | Monitor bridge security disclosures |
| Medium | Consider bridge insurance where available |
| Ongoing | Diversify cross-chain strategies |
| Medium | Check protocol audit history before use |
Investigation status
| Item | Status |
|---|
| Attacker identification | 10 wallets identified |
| Fund tracing | Ongoing with analytics firms |
| Exchange coordination | Assets frozen where possible |
| Bridge operations | Paused |
| Bounty deadline | 72 hours from block 24364392 |
White-hat bounty offers occasionally work in DeFi—the Euler Finance attacker returned $197 million in 2023—but more often the funds disappear into mixers.
Context
The CrossCurve exploit reinforces that cross-chain bridge security remains one of the most challenging problems in DeFi. Bridges are attractive targets because they hold large amounts of liquidity, and their security depends on correctly validating messages across different blockchain environments—a complex problem that’s easy to get wrong.
| Risk factor | CrossCurve situation |
|---|
| High TVL concentration | ~$3 million in single contract |
| Complex validation requirements | Cross-chain message authentication |
| Multiple attack surfaces | Nine+ chains supported |
| Audit coverage | Unknown for specific vulnerability |
The fact that this exploit mirrors the Nomad bridge hack from four years earlier suggests the DeFi ecosystem has not adequately incorporated lessons from past incidents. Until bridge protocols implement rigorous message authentication and defense-in-depth controls, these attacks will continue.
The involvement of prominent backers like Curve Finance founder Michael Egorov doesn’t guarantee security—technical due diligence on smart contract implementations remains essential regardless of investor reputation.
