Decentralized finance protocol CrossCurve, formerly known as EYWA, says it has identified ten Ethereum addresses connected to a recent exploit of its cross-chain bridge, an incident that security firms estimate resulted in losses of around $3 million.

The protocol disclosed on Sunday that an attacker exploited a vulnerability in one of the smart contracts used by its token transfer system, which allows users to move assets between different blockchains. The flaw enabled funds to be released across several networks without proper verification.

Hours after the initial disclosure, CrossCurve confirmed it had traced the flow of funds and publicly identified the wallet addresses that received them.

CrossCurve Official Statement.

Protocol gives 72-hour window before escalation

In a statement addressing the affected wallets, CrossCurve CEO Boris Povar said the funds were taken due to a smart contract exploit and suggested the recipients may not have acted with malicious intent.

“We do not believe this was intentional on your part, and there is no indication of malicious intent,” Povar said.

He added that CrossCurve would allow a 72-hour window for the funds to be returned or for contact to be established. If that deadline passes without resolution, the team would treat the incident as a judicial matter.

Povar said failure to return the funds would trigger immediate escalation. The response would include criminal referrals, civil litigation, coordination with centralized exchanges and token issuers to freeze assets, and the public disclosure of wallet and transaction data.

CrossCurve also said it would work with law enforcement agencies and blockchain analytics firms to track fund movements and support any legal proceedings.

Security firms estimate losses across multiple chains

Blockchain security firms have provided independent estimates of the damage. Defimon Alerts, a social account operated by security firm Decurity, said the exploit caused losses of roughly $3 million across several networks.

BlockSec later estimated total losses at approximately $2.76 million. According to the firm, about $1.3 million was taken from Ethereum and roughly $1.28 million from Arbitrum, with additional exposure on Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.

CrossCurve has not confirmed the figures cited by security researchers and has not published its own assessment of the losses.

Lack of validation enabled forged cross-chain messages

BlockSec said the exploit was caused by insufficient validation of cross-chain messages. The destination-chain contract accepted attacker-crafted payload data as legitimate, leading it to release assets without verifying that the transaction had been properly initiated on the source chain.

“The cross-chain messages that should have been validated were not verified,” BlockSec added, contract treated the forged message as genuine.

Custom receiver contracts remain a weak point

Dan Dadybayo, research and strategy lead at Unstoppable Wallet, said the issue did not stem from Axelar’s core messaging protocol but from how CrossCurve implemented its receiver contract.

“CrossCurve’s custom ReceiverAxelar contract executed cross-chain messages without sufficiently authenticating them first,” Dadybayo said, noting similarities to previous bridge exploits, including the Nomad hack in 2022.

He added that while cross-chain infrastructure has improved, custom receiver logic continues to present a high-risk surface.

“The challenge isn’t the messaging layer itself,” Dadybayo said.
“It’s making sure nothing executes until authenticity is fully proven. As long as bridges concentrate liquidity and rely on bespoke validation logic, they remain one of the most vulnerable areas in DeFi.”
Binance Moves $1B SAFU Fund into BTC amid Volatility | HODL FM NEWS
Binance exchange announced a full Bitcoin conversion of its $1 billion SAFU fund, adding rebalancing safeguards during ongoing cryptocurrency market stress.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketRoman Zaika
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.