CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages
CrossCurve's bridge was exploited for about $3 million across multiple chains due to a vulnerability allowing spoofed cross-chain messages.Summary
The cross-chain liquidity protocol CrossCurve confirmed an active attack exploiting a vulnerability in one of its smart contracts, resulting in the loss of approximately $3 million across several networks. Security analysts identified the attack vector as a gateway validation bypass in the ReceiverAxelar contract, which allowed unauthorized users to execute the expressExecute function with spoofed cross-chain messages, unlocking tokens from the PortalV2 contract. This exploit is reportedly similar to Nomad's $190 million bridge exploit from 2022. CrossCurve, formerly EYWA Protocol, urged users to pause all interactions while the investigation continues. The protocol, which partners with Curve Finance and uses a "Consensus Bridge" mechanism involving Axelar and LayerZero, had previously highlighted its security architecture as a key feature.
(Source:The Block)