Cross-chain liquidity protocol CrossCurve said its bridge was under active attack after an exploit drained about $3 million across multiple blockchain networks.
The project said a missing validation check allowed attackers to spoof cross-chain messages and trigger unauthorised token unlocks from its PortalV2 contract.
“Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,”
CrossCurve said in a post on X, urging users to pause all interactions.
Blockchain security monitors said the flaw was a gateway validation bypass that allowed anyone to call a contract function with a spoofed message, enabling funds to be withdrawn without authorisation.
On-chain data shows the PortalV2 contract balance falling from roughly $3 million to near zero on January 31, with the exploit spanning multiple networks.
CrossCurve, formerly known as EYWA, operates a cross-chain DEX and consensus bridge built with Curve Finance, and counts its founder Michael Egorov among its backers.
The protocol previously highlighted its multi-validator security design as a safeguard and has said it raised $7 million from venture investors, underscoring renewed concerns about cross-chain bridge risks.