Cross-chain decentralized finance (DeFi) platform Cross Curve was exploited, and $3 million was lost, as the technology’s ‘margin for error is thin,’ stated an analyst. The CEO of Cross Curve requested suspects to return the funds for a bounty, or else it would be considered a criminal act.
In an era where cross-chain bridges are attacked time and time again, CrossCurve protocol suffered the latest hack. The hackers attacked and compromised one of the smart contracts.
According to Defimon Alerts, a DeFi security alert:
“Anyone could call expressExecute on ReceiverAxelar contract with a spoofed cross-chain message, bypassing gateway validation and triggering unlock on PortalV2.”
Smart contract fails to identify fake message
In simple terms, the hackers sent a spoofed message to the ReceiverAxelar smart contract, which is like the inbox that receives cross-chain messages, and the expressExecute function recognized it as a legit message coming from a user, and then it released the funds from it to the other chain, when there was no transaction recorded on the original chain. With the protocol exploited, around $3 million was lost.
Repeated bridge failure happens as margin for error is thin
Market analyst Lavneet Bansal stated that the repeated bridge failures like Ronin, Wormhole, and Nomad show that cross-chain communication isn’t broken, but it’s still structurally fragile.
Most of these incidents didn’t involve broken cryptography. They came from message verification gaps, trust assumptions, or validator design choices. The technology works, but the margin for error remains extremely thin.
Analyst Lavneet Bansal
Upon discovering the exploit, the team set to work, and the CEO of Cross Curve, Boris Povar, recognized some addresses that received funds through the exploit and asked them to return funds.
As there was no clear evidence to prove if the attack was intentional or a mistake, the CEO provided a period of 72 hours for the hackers to return the funds. Povar even promised a bounty of 10% for those returning the stolen funds within this span of time.
However, in the event the funds were not returned in due time, he stated that it would be considered a criminal act and dealt with accordingly.
