Replace: This word has been up to date to indicate the full quantity of stolen funds recognized in CrossCurve's X account.
An exploit disclosed on February 1, 2026 affected the Cross Curve Liquidity Bridge related to the Ethereum Curve Finance Decentralized Alternate (DEX), inflicting estimated losses. “Roughly US$2.76 million throughout a number of networks.”.
The hack was reported by BlockSec, an on-chain safety and analytics firm. Nonetheless, on the afternoon of February 2nd, CrossCurve confirmed that the full funding quantity will likely be USD 1.4 million and will likely be cut up into 10 totally different tokens. It additionally offers hackers 72 hours to contact the platform earlier than resorting to authorized motion.
Of the full theft reported by BlockSec, roughly USD 1.3 million was concentrated in Ethereum's base layer, and an extra USD 1.28 million was concentrated within the second layer (L2) Arbitrum community, as seen within the picture.
In that respect, cross curve mentioned The assault was contained on February 2nd.. Boris Povall, the protocol's CEO, printed an inventory of addresses that will have obtained a number of the stolen funds.
Containment, tracing and follow-up measures
On February 1, 2026, after studying of the safety incident. curve finance staff public Warning to customers In case you are not directly uncovered to the affected protocols.
In line with Curve, customers who had allotted governance votes to direct liquidity to swimming pools linked to CrossCurve (previously Eywa) have been capable of evaluation their positions and take into account withdrawing their help following the incident.
The subsequent day, CrossCurve reported that it revealed that the attackers have been capable of efficiently mine EYWA tokens from bridges on the Ethereum community, however have been unable to make use of them. In line with the staff: these funds have been frozen It is because XT Alternate, the one website with lively EYWA deposits, has frozen the tokens, making them unable to be offered or transferred.
In line with CrossCurve, EYWA tokens on the Arbitrum community stay safe.
In addition they indicated that they required centralized exchanges (corresponding to KuCoin, MEXC, and BingX) to: Guarantee attackers haven’t any choice to promote or transfer stolen propertythus avoiding entry into circulation and impacting the availability of tokens.
How did the Curve Finance hack occur?
The incident occurred on the bridge cross chain (bridge between chains) From CrossSurve. Merely put, The system was tricked into believing there was a professional switch from one other chain. By not checking the supply, they launched funds that ought to not have been launched.
bridge (or bridge (English) is an infrastructure that enables property to be moved between totally different networks.
To function, a cross-chain bridge locks the funds on the supply community, order the issuance or launch of property; An equal on the vacation spot community.
This intermediate step is supported by a message that proves that the block truly occurred, so the system should confirm that the message is from the proper chain. You will need to additionally be sure that it has not been tampered with earlier than permitting motion.
In line with the BlockSec white paper: The failure was within the good contract It’s referred to as “Receiver Axelar”.
That contract omitted essential verification. This can be a verification aimed toward confirming that the message obtained is real. Since this management doesn’t exist, The system accepted a cast message pretending to come back from one other communitypermitting operations that shouldn’t be carried out.
In line with BlockSec, the attacker used these messages to name the “expressExecute” operate. This name causes gateway or straight activated the unauthorized unlocking of the token by accessing the bridge entrance door.
In line with BlockSec, the affected contract was PortalV2, which protects bridge liquidity.
CrossCurve reported that they’re conducting an intensive investigation to offer extra particulars about this exploit.
(Tag translation) Sensible contract
