Decentralized finance protocol CrossCurve, formerly known as EYWA, says it has publicly identified ten Ethereum addresses linked to a hack of its token transfer system on Sunday.
“These tokens were wrongfully taken from users due to a smart contract exploit,” Povar said. “We do not believe this was intentional on your part, and there is no indication of malicious intent.”
Failure to return the funds would trigger immediate escalation, including criminal referrals, civil litigation, coordination with exchanges and issuers to freeze assets, public disclosure of wallet and transaction data, and cooperation with law enforcement and blockchain analytics firms, Povar added.
CrossCurve has not publicly confirmed the loss estimate cited by security firms, and has not shared its own figure for the funds affected. Decrypt has reached out to CrossCurve for comment.
The exploit stemmed from a “lack of validation,” the team at BlockSec told Decrypt.
“The cross‑chain messages that should have been validated were not verified, causing the destination‑chain contract to believe the message reflected a genuine transaction initiated on the source chain and to release the corresponding assets based on attacker‑forged payload data,” BlockSec said.
The incident shows that “cross-chain security still leans too heavily on a single validation pathway,” BlockSec added. “If any alternate execution path bypasses that check, the entire trust model collapses.”
“This exploit wasn’t a failure of Axelar’s core protocol; it was a receiver-side failure,” Dan Dadybayo, research and strategy lead at Unstoppable Wallet, told Decrypt. “CrossCurve’s custom ReceiverAxelar contract executed cross-chain messages without sufficiently authenticating them first.”
“The hard part of bridge security isn’t the messaging layer, it’s making sure nothing happens until authenticity is fully proven,” he added. “Custom receivers remain the weakest link. As long as bridges concentrate liquidity and rely on bespoke validation logic, they will continue to be the highest-risk surface in DeFi.”
