CrossCurve faced litigation threats following an attack on its crosschain infrastructure hacking services.

The CrossCurve project, formerly known as EYWA, experienced a serious security incident when unknown hackers exploited smart contract hacking services to carry out a targeted attack on the cross-chain token transfer mechanism. As a result of the breach, approximately three million dollars worth of assets were compromised. The project team announced legal action against those involved and provided a 72-hour window for the return of the funds.

Discovered Addresses and Initial Response

The CrossCurve team quickly identified ten Ethereum addresses where the stolen assets were transferred immediately after the incident. CEO Boris Povar explained that a vulnerability in the transfer protocol was exploited to unauthorizedly withdraw user funds. Initially, the project leadership suggested that the recipients might not have been aware that the received funds were illicit. However, this lenient approach was based on a three-day window for voluntary asset recovery and direct contact with the involved parties.

Without an agreed resolution, CrossCurve promised to escalate the matter to criminal prosecution, cooperate with cryptocurrency exchanges to freeze the compromised assets, and work with law enforcement agencies and blockchain analytics firms internationally.

Extent of Losses Distributed Across Multiple Networks

The security monitoring platform Defimons, operated by Decurity, revealed that the total financial damage amounts to approximately three million dollars, spread across various blockchain networks. Parallel estimates from BlockSec, a leader in distributed system security, suggest losses of about $2.76 million.

A detailed breakdown shows that the Ethereum network suffered the largest loss at $1.3 million, while Arbitrum incurred losses of around $1.28 million. Additional damages were recorded on networks such as Optimism, Base, Mantle, Kava, Frax, Celo, and Blast, highlighting the variety of attack vectors used. CrossCurve has not yet published an official estimate of the total affected assets, instead reaching out via Decrypt media channels for further analysis from specialists.

Technical Causes: Insufficient Verification and Trust Chain

BlockSec explained the breach mechanism: the main issue was an inadequate verification system for cross-network messages transmitted between different blockchains. When a message arrives in the target network, the system must verify its authenticity, but in this case, the contract accepted forged data as legitimate and executed withdrawal instructions.

Analysts from BlockSec emphasized a critical vulnerability in cross-chain bridge architecture: many such systems rely on a single verification layer. If this layer is compromised or bypassed, the entire trust chain collapses. Dan Dadybayo, head of research and strategic development at Unstoppable Wallet, told Decrypt that the problem was not with the main Axelar protocol itself but with a custom contract, ReceiverAxelar, developed by CrossCurve to handle cross-network messages without sufficient authentication.

Historical Parallels and Systemic Lessons

History has seen similar incidents. The Nomad bridge hack in 2022 demonstrated comparable vulnerabilities in verification logic. Dadybayo noted that the primary security challenge for cross-chain systems lies not in the transport layer itself but in ensuring full authentication before executing any actions. Custom message receivers often turn out to be the weakest link in the security chain.

As cross-chain bridges hold significant liquidity and each project develops its own verification logic, such systems remain prime targets for hacking services and targeted attacks within the decentralized finance ecosystem. The CrossCurve incident serves as a reminder that complex cross-chain architectures require not only technical expertise but also a radical rethinking of security models.