Cross-chain bridge CrossCurve announced Monday that it suffered a major attack, losing $3 million across multiple networks.
The DeFi protocol noted that a vulnerability in its smart contracts had been exploited, raising security concerns regarding cross-chain infrastructure.
“Our bridge is currently under attack,” he wrote on X, warning users to suspend all interactions with CrossCurve.
According to the CrossCurve article, some user addresses received tokenized funds due to the vulnerability of smart contracts that were “mistaken” by other users.
“We do not believe this was intentional on your part, and there is no indication of malicious intent. We hope for your cooperation in returning the funds,” the platform wrote, identifying a total of 10 addresses.
According to blockchain security account Defimon Alerts, a vulnerable CrossCurve smart contract, ReceiverAxelar, allowed anyone to spoof a cross-chain message, bypassing gateway validation. This triggered unauthorized token unlocks on the PortalV2 contract.
Additionally, Curve Finance wrote that users who assigned votes to pools linked to the platform “may wish to review their positions and consider deleting those votes.”
The protocol is backed by Curve Finance founder Michael Egorov and has raised $7 million from venture capital firms in 2023.
In accordance with Safe Harbor’s Responsible Disclosure Policy, which details the steps to implement responsible reporting of security vulnerabilities, if a white hat hacker assists in the recovery of funds, a 10% bonus will be paid.
“This allows you to keep up to 10% if the rest is returned,” the project team noted.
Additionally, CrossCurve set a 72-hour deadline for hackers to return the funds. If effective communication is not established, the project team will take corrective action immediately.
This includes formal criminal and civil proceedings, working with exchanges such as Coinbase and Binance, stablecoin issuers, law enforcement, and on-chain analytics companies including Chainalysis, TRM Labs, and Elliptic.
The CrossCurve hack is similar to Nomad’s $190 million bridge exploit in 2022, which saw around 8,000 Solana wallets compromised.
“In terms of prevention, an industry set of standard smart contract models known to be secure, smart contract auditing, and secure software development lifecycles would be steps in the right direction,” Andrew Morfill, head of information security at Komainu, told Cryptonews. “As the market matures, securely developed and maintained protocols with real utility will provide the credibility and security assurance that investors seek.”
Read original story DeFi protocol’s CrossCurve smart contract exploited, suffers $3M loss across multiple chains by Sujha Sundararajan at Cryptonews.com
