A fresh security incident has hit the DeFi sector, with the crosscurve hack underscoring growing concerns around cross-chain protocols and on-chain infrastructure.
CrossCurve bridge hit by $3 million exploit
CrossCurve, a decentralized cross-chain liquidity protocol, confirmed that its bridge infrastructure was attacked, with estimated losses of around $3 million. The team disclosed the incident after detecting suspicious activity affecting one of its deployed smart contracts.
The exploit comes amid a broader rise in crypto attacks. Moreover, it lands in a period when security firms are warning that sophisticated threats are increasingly targeting cross-chain bridges and liquidity routing systems.
The protocol said the attack affected its cross-chain bridge component, which relies on multiple smart contracts to move assets across different networks. However, the team moved quickly to issue public warnings and pause user interactions while it investigated.
Technical details of the cross-chain bridge exploit
The attack focused on a specific smart contract vulnerability within CrossCurve’s architecture. In an urgent notice posted on its official X account on 2026, the team urged users to immediately stop interacting with the protocol while the situation was assessed.
CrossCurve wrote that its bridge was “currently under attack” and that a flaw in one of the contracts used by the system was being exploited. That said, the project emphasized that users should “pause all interactions” with CrossCurve until further updates were available.
According to Defimon Alerts, an automated monitoring account operated by security company Decurity, the exploit allowed attackers to abuse the ReceiverAxelar contract. Moreover, the issue reportedly enabled calls to the expressExecute function using spoofed cross-chain messages.
The post from Defimon Alerts explained that the malicious calls bypassed gateway validation and triggered unauthorized unlocks on the PortalV2 contract. On-chain data later showed that roughly $3M had been drained from PortalV2 across several networks through this mechanism.
CrossCurve response and SafeHarbor policy
In a follow-up update, CrossCurve said it had traced funds from the exploit to 10 wallet addresses that received tokens originating from the incident. The team stressed that those addresses might not belong to malicious actors and that there was “no indication of malicious intent” from the holders at that stage.
However, CrossCurve noted that the tokens had been “wrongfully taken from users” as a result of the smart contract exploit. The project appealed for cooperation from recipients and asked them to return the digital assets that had been transferred to their wallets.
As part of its mitigation strategy, the protocol activated its SafeHarbor WhiteHat policy, offering a bounty of up to 10% to those who help rescue funds. The team clarified that anyone acting in good faith would be eligible to keep as much as 10% of the recovered amount if the remaining funds were returned.
The announcement also provided a dedicated contact email for coordination. Moreover, CrossCurve said that individuals preferring to remain anonymous could send the compromised assets directly to a specified wallet address under the SafeHarbor framework.
Deadline, escalation measures and legal steps
The crosscurve hack was accompanied by a strict timeline. CrossCurve warned that if no contact was made and the funds were not returned within 72 hours from block 24364392, the team would treat the incident as a malicious attack.
In that scenario, the project said it would escalate the matter through several channels. These include filing criminal referrals, initiating potential civil litigation, and working with centralized exchanges and stablecoin issuers to freeze associated assets where possible.
Furthermore, CrossCurve pledged to collaborate with blockchain analytics firms and law enforcement agencies. The team also indicated that, absent cooperation, it would proceed with public disclosure of the wallet data linked to the exploit.
Rising wave of crypto hacks in 2025 and 2026
The CrossCurve incident adds to a growing list of high-profile attacks on decentralized finance platforms. In January 2026, hackers stole nearly $400 million in digital assets across the industry, according to data cited in the report.
Security firm CertiK recorded more than 40 major security incidents during that month alone, highlighting the scale of the current threat environment. Moreover, cross-chain protocols and complex liquidity systems have increasingly been targeted because of the large volumes of assets they secure.
The surge in attacks follows an already damaging year for the sector. In 2025, total losses from crypto-related thefts exceeded $1 billion, making it the worst year on record for such incidents and underscoring persistent structural vulnerabilities.
Against this backdrop, the CrossCurve case illustrates how a single smart contract flaw can cascade across multiple networks and user wallets. It also shows why projects are leaning on whitehat incentives and coordinated responses to limit damage when exploits occur.
In summary, the CrossCurve exploit, the SafeHarbor response, and the broader statistics from 2025 and January 2026 reinforce the need for stronger security practices, more rigorous code audits, and faster cross-industry collaboration when bridge vulnerabilities are exposed.
Source: https://en.cryptonomist.ch/2026/02/02/crosscurve-hack-bridge-exploit/
