CrossCurve warns of legal action after cross-chain bridge exploit tied to $3M losses
CrossCurve said an attacker exploited a vulnerability in its bridge contracts and routed misappropriated funds through at least 10 Ethereum addresses. CEO Boris Povar asked recipients to return the assets or make contact within 72 hours, citing potential criminal referrals and civil litigation if the funds stay unreturned.
Cross-chain bridges keep concentrating liquidity in places where a single validation failure can unlock real money across multiple networks. CrossCurve is the latest example.
The DeFi protocol, formerly known as EYWA, said on Sunday that an attacker exploited a vulnerability in one of the smart contracts supporting its token transfer system. The team urged users to pause interactions while it investigates.
Hours later, CEO Boris Povar posted that the team had identified ten Ethereum addresses that received tokens that should have remained with users. His message asked the recipients to return the assets or reach out within 72 hours. He said failure to do so would prompt escalation that could include criminal referrals, civil litigation, coordination with exchanges and token issuers to freeze assets, and cooperation with law enforcement and blockchain analytics firms.
Independent security teams have published competing loss estimates. Defimon Alerts put the incident at roughly $3 million and said the attacker used a forged cross-chain message that bypassed checks and triggered fund releases.BlockSec estimated about $2.76 million in losses, including around $1.3 million on Ethereum and about $1.28 million on Arbitrum, with smaller amounts spread across networks that include Optimism, Base, Mantle, Kava, Frax, Celo, and Blast.
The incident fits a familiar pattern. Analysts described a receiver-side validation gap where cross-chain messages were executed without sufficient authentication, leaving an alternate path that could bypass expected checks. CrossCurve documentation describes a bridge design that relies on portal and synthesis contracts, plus cross-chain messaging components, which makes validation logic a critical choke point.
CrossCurve has also referenced a Safe Harbor approach for fund recovery, including a potential bounty of up to 10% for help returning assets, with the 72-hour window tied to a specific Ethereum block height. The next signal for users will be a post-mortem that explains the exact execution path, the chains affected, and what changes will prevent similar message-bypass attacks from recurring.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
