CrossCurve is a cross-chain bridge that was the victim of an estimated $3 million hack in February 2026. The attackers took advantage of vulnerabilities in the protocol’s smart contracts to perform a multi-chain heist.
Inside the Attack
CrossCurve is a cross-chain bridge that links several different blockchains together. It’s implemented as a combination of Axelar-based receiver contracts and internal PortalV2 bridge contracts. The receiver contracts receive and validate messages, authorizing the PortalV2 contracts to release funds in response to legitimate transactions.
The root cause of the incident was weak access controls in its expressExecute-like functions that should only accept and process messages coming from Axelar. However, vulnerabilities in the code allowed an attacker to craft messages to the ReceiverAxelar contract that instructed it to release a particular number of tokens to a specified address. Since these malicious messages passed the contract’s validation checks, the receiver contract would instruct the PortalV2 contract to unlock assets, believing it to be a legitimate cross-chain transaction.
The attacker took advantage of this vulnerability across multiple chains supported by the CrossCurve network. In total, an estimated $3 million worth of tokens was drained from the project. The attacker then swapped and bridged stolen tokens to more liquid assets and performed laundering to help cover their tracks. After the incident was detected, the CrossCurve team shut down the platform as they investigated and remediated the vulnerability.
Lessons Learned from the Attack
This CrossCurve hack is a classic example of a cross-chain bridge exploit. The role of a cross-chain bridge contract is to receive messages to lock/unlock funds, validate them, and perform the requested action. This puts the onus of security on the validation code since the bridge contract is solely responsible for determining whether a message is legitimate or not.
In this case, the CrossCurve ReceiverAxelar contract had fundamental access control vulnerabilities that undermined this security. The attacker’s ability to trick the contract into believing that messages originated from Axelar when they didn’t allowed them to release tokens from the project’s contract without performing a corresponding deposit on another chain. As a result, $3 million worth of tokens was drained from the protocol.
This incident shows the importance of comprehensive smart contract security audits, especially for high-risk code like cross-chain bridges. Halborn offers security advisory and auditing services designed to help ensure that protocols are designed to be secure from the start and audited to ensure that implementations are free of exploitable vulnerabilities. Get in touch to find out more.