CrossCurve, a decentralized cross‑chain liquidity protocol, has confirmed that its cross-chain bridge has been attacked, reportedly leading to losses of round $3 million.
This occasion provides to a surge in cryptocurrency thefts that claimed almost $400 million from the business in January 2026 alone.
Sponsored
Sponsored
CrossCurve Assault Particulars and Response
The CrossCurve exploit focused a vulnerability in one of many good contracts. Following the incident, the protocol shared an pressing safety warning on its official X (previously Twitter) account. The group urged customers to cease all exercise whereas the difficulty was investigated.
“Our bridge is presently beneath assault, involving the exploitation of a vulnerability in one of many good contracts used. Please pause all interactions with CrossCurve whereas the investigation is ongoing,” CrossCurve posted.
Defimon Alerts, an automatic safety monitoring account operated by Decurity, reported that the exploit resulted in losses of round $3 million throughout a number of networks.
“Anybody might name expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2,” the submit learn.
In a follow-up replace, CrossCurve said that it had recognized 10 pockets addresses that acquired tokens originating from the exploit.
Sponsored
Sponsored
“These tokens had been wrongfully taken from customers because of a wise contract exploit. We don’t imagine this was intentional in your half, and there’s no indication of malicious intent. We hope on your cooperation in returning the funds,” the group wrote.
As a part of its response, CrossCurve invoked its SafeHarbor WhiteHat coverage, providing a bounty of as much as 10%. Such responses are fairly frequent throughout crypto, encouraging negotiations and moral motion.
“We provide as much as a ten% bounty for funds rescued by WhiteHats, this makes you eligible to maintain as much as 10% if the rest is returned,” the submit added.
The protocol invited events to coordinate immediately by way of electronic mail or, in the event that they most well-liked anonymity, to return the property to a chosen pockets handle.
The group warned that the incident will probably be handled as malicious if no contact is established and the funds should not returned inside 72 hours from block 24364392. CrossCurve said that failure to conform would set off escalation measures.
This consists of prison referrals, civil litigation, cooperation with centralized exchanges and stablecoin issuers to freeze property, public disclosure of pockets knowledge, and collaboration with blockchain analytics corporations and regulation enforcement.
The most recent exploit provides to the listing of assaults seen earlier this yr. In January 2026, attackers stole almost $400 million in digital property. Knowledge from blockchain safety agency CertiK reveals greater than 40 main safety incidents within the month.
The surge continues a broader pattern from final yr. 2025 marked the worst yr on report for crypto-related thefts, with complete losses exceeding $1 billion.