{"id":802,"date":"2026-02-04T19:09:42","date_gmt":"2026-02-04T13:39:42","guid":{"rendered":"https:\/\/cryip.co\/?p=802"},"modified":"2026-02-06T15:00:45","modified_gmt":"2026-02-06T09:30:45","slug":"crosscurve-bridge-hacks-a-technical-look-at-message-spoofing","status":"publish","type":"post","link":"https:\/\/cryip.co\/crosscurve-bridge-hacks-a-technical-look-at-message-spoofing\/","title":{"rendered":"CrossCurve Bridge Hack Post-Mortem: How Message Spoofing Led to a $1.4M Exploit"},"content":{"rendered":"<p data-path-to-node=\"5\">The cross-chain landscape continues to be a primary target for sophisticated exploits. Between January 31 and February 1, 2026, <b data-path-to-node=\"5\" data-index-in-node=\"128\">CrossCurve<\/b> (formerly known as the EYWA Protocol), a cross-chain liquidity bridge developed in collaboration with Curve Finance, became the latest victim. The protocol suffered a critical bridge exploit resulting in the loss of approximately <b data-path-to-node=\"5\" data-index-in-node=\"369\">$1.44 million<\/b> in liquid assets, while an additional 999 million EYWA tokens were minted but successfully frozen.<\/p>\n<p data-path-to-node=\"6\">Unlike traditional smart contract &#8220;re-entrancy&#8221; or &#8220;flash loan&#8221; attacks, this incident was a failure of cross-chain message validation, highlighting the extreme risks associated with bridge integrations and decentralized gateway authentication.<\/p>\n<h2 data-path-to-node=\"1\"><b data-path-to-node=\"1\" data-index-in-node=\"0\">The Exploit: Logic Failure &amp; Spoofing<\/b><\/h2>\n<p data-path-to-node=\"9\">The exploit was rooted in a critical access control flaw within CrossCurve\u2019s <code data-path-to-node=\"9\" data-index-in-node=\"77\">ReceiverAxelar<\/code> contract. By exploiting a missing validation check in the <code data-path-to-node=\"9\" data-index-in-node=\"150\">expressExecute<\/code> function, the attacker was able to bypass the protocol&#8217;s gateway authentication.<\/p>\n<p data-path-to-node=\"10\">Essentially, the attacker &#8220;spoofed&#8221; (faked) cross-chain messages that the protocol accepted as legitimate commands. This allowed the malicious actor to trigger unauthorized token unlocks from the <code data-path-to-node=\"10\" data-index-in-node=\"196\">PortalV2<\/code> contract across multiple networks, including Ethereum and Arbitrum. While the total market value of stolen liquid assets reached ~$1.44M, the rapid response from the team and centralized exchanges prevented the liquidation of nearly a billion EYWA tokens.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Exploit Update<\/p>\n<p>In our ongoing investigation into the exploit, we have identified an additional $140,762 of stolen funds via bot-driven attacks.<\/p>\n<p>Below you can see the updated table, which now includes these additional details. We remain committed to keeping the community fully\u2026 <a href=\"https:\/\/t.co\/xUmvKK5vhG\">pic.twitter.com\/xUmvKK5vhG<\/a><\/p>\n<p>\u2014 CrossCurve (@crosscurvefi) <a href=\"https:\/\/twitter.com\/crosscurvefi\/status\/2018710180867850659?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">February 3, 2026<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h2 data-path-to-node=\"11\"><strong>Incident Timeline (UTC)<\/strong><\/h2>\n<p data-path-to-node=\"12\">The attack was a multi-day operation that began with quiet exploitation across secondary chains before moving to major liquidity pools.<\/p>\n<table data-path-to-node=\"13\">\n<thead>\n<tr>\n<td><strong>Date\/Time<\/strong><\/td>\n<td><strong>Event<\/strong><\/td>\n<td><strong>Action Taken<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span data-path-to-node=\"13,1,0,0\"><b data-path-to-node=\"13,1,0,0\" data-index-in-node=\"0\">Jan 31, 2026<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,1,1,0\">Initial Reconnaissance<\/span><\/td>\n<td><span data-path-to-node=\"13,1,2,0\">Attacker begins quiet exploitation across multiple side-chains.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"13,2,0,0\"><b data-path-to-node=\"13,2,0,0\" data-index-in-node=\"0\">Feb 1, Midnight<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,2,1,0\">Major Bridge Drain<\/span><\/td>\n<td><span data-path-to-node=\"13,2,2,0\">Unauthorized token unlocks detected on Portal contracts.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"13,3,0,0\"><b data-path-to-node=\"13,3,0,0\" data-index-in-node=\"0\">Feb 2, 02:15 AM<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,3,1,0\">Public Warning<\/span><\/td>\n<td><span data-path-to-node=\"13,3,2,0\">CrossCurve issues an urgent security notice on X.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"13,4,0,0\"><b data-path-to-node=\"13,4,0,0\" data-index-in-node=\"0\">Feb 2, Morning<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,4,1,0\">Protocol Lockdown<\/span><\/td>\n<td><span data-path-to-node=\"13,4,2,0\">CrossCurve pauses all bridge interactions globally.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"13,5,0,0\"><b data-path-to-node=\"13,5,0,0\" data-index-in-node=\"0\">Feb 2, 10:22 PM<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,5,1,0\">Official Disclosure<\/span><\/td>\n<td><span data-path-to-node=\"13,5,2,0\">Detailed breakdown of stolen assets published.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span data-path-to-node=\"13,6,0,0\"><b data-path-to-node=\"13,6,0,0\" data-index-in-node=\"0\">Feb 3, 2026<\/b><\/span><\/td>\n<td><span data-path-to-node=\"13,6,1,0\">Ultimatum<\/span><\/td>\n<td><span data-path-to-node=\"13,6,2,0\">A 72-hour deadline with a 10% bounty is issued.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 data-path-to-node=\"14\"><strong>Technical Breakdown: The Mechanism of Spoofing<\/strong><\/h2>\n<p data-path-to-node=\"15\">The vulnerability resided specifically in how CrossCurve processed messages from the Axelar network.<\/p>\n<h4 data-path-to-node=\"16\"><strong>The Root Cause: ReceiverAxelar Contract<\/strong><\/h4>\n<p data-path-to-node=\"17\">The <code data-path-to-node=\"17\" data-index-in-node=\"4\">ReceiverAxelar<\/code> contract contained a function named <code data-path-to-node=\"17\" data-index-in-node=\"55\">expressExecute()<\/code>. In a secure implementation, this function should verify that the message it receives is authenticated by a trusted cross-chain gateway.<\/p>\n<p data-path-to-node=\"18\"><b data-path-to-node=\"18\" data-index-in-node=\"0\">The Failure Points:<\/b><\/p>\n<ol start=\"1\" data-path-to-node=\"19\">\n<li>\n<p data-path-to-node=\"19,0,0\"><b data-path-to-node=\"19,0,0\" data-index-in-node=\"0\">Public Accessibility:<\/b> The <code data-path-to-node=\"19,0,0\" data-index-in-node=\"26\">expressExecute()<\/code> function was publicly callable.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"19,1,0\"><b data-path-to-node=\"19,1,0\" data-index-in-node=\"0\">Insufficient Authentication:<\/b> The only significant check enforced was whether a <code data-path-to-node=\"19,1,0\" data-index-in-node=\"79\">commandId<\/code> had already been executed.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"19,2,0\"><b data-path-to-node=\"19,2,0\" data-index-in-node=\"0\">CommandId Bypass:<\/b> The attacker generated fresh, unused <code data-path-to-node=\"19,2,0\" data-index-in-node=\"55\">commandIds<\/code>. Since the contract only checked for &#8220;uniqueness&#8221; and not &#8220;authenticity,&#8221; the spoofed messages were processed.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"19,3,0\"><b data-path-to-node=\"19,3,0\" data-index-in-node=\"0\">Low Threshold:<\/b> The confirmation threshold was set to 1, effectively disabling multi-guardian validation.<\/p>\n<\/li>\n<\/ol>\n<h4 data-path-to-node=\"20\"><strong>Stolen Assets Breakdown<\/strong><\/h4>\n<p data-path-to-node=\"21\">The following data represents the confirmed loss according to CrossCurve\u2019s disclosure:<\/p>\n<p data-path-to-node=\"22\"><b data-path-to-node=\"22\" data-index-in-node=\"0\">Liquid Assets (Total Value: ~$1,441,892.31)<\/b><\/p>\n<ul data-path-to-node=\"23\">\n<li>\n<p data-path-to-node=\"23,0,0\"><b data-path-to-node=\"23,0,0\" data-index-in-node=\"0\">USDT:<\/b> 815,361.00<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"23,1,0\"><b data-path-to-node=\"23,1,0\" data-index-in-node=\"0\">CRV:<\/b> 239,889.64<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"23,2,0\"><b data-path-to-node=\"23,2,0\" data-index-in-node=\"0\">WETH:<\/b> 123.59<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"23,3,0\"><b data-path-to-node=\"23,3,0\" data-index-in-node=\"0\">WBTC:<\/b> 2.64<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"23,4,0\"><b data-path-to-node=\"23,4,0\" data-index-in-node=\"0\">Other (USDC, USDB, frxUSD):<\/b> ~$50,000.00<\/p>\n<\/li>\n<\/ul>\n<p data-path-to-node=\"24\"><b data-path-to-node=\"24\" data-index-in-node=\"0\">The &#8220;Frozen&#8221; Assets<\/b><\/p>\n<p data-path-to-node=\"24\">The attacker also extracted 999,787,453 EYWA tokens to Ethereum. However, these are currently unusable because DEX pools are shallow, the bridge is paused, and exchanges like XT have frozen the hacker&#8217;s deposits.<\/p>\n<h4 data-path-to-node=\"25\"><strong>Attacker Profiles &amp; Fund Flow<\/strong><\/h4>\n<p data-path-to-node=\"26\">The exploit was executed using a cluster of 10 identified wallets. The primary wallet was funded via the <b data-path-to-node=\"26\" data-index-in-node=\"105\">FixedFloat<\/b> exchange.<\/p>\n<ul data-path-to-node=\"27\">\n<li>\n<p data-path-to-node=\"27,0,0\"><b data-path-to-node=\"27,0,0\" data-index-in-node=\"0\">Primary Wallet:<\/b> <code data-path-to-node=\"27,0,0\" data-index-in-node=\"16\">0x632400f42e96a5deb547a179ca46b02c22cd25cd<\/code><\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"27,1,0\"><b data-path-to-node=\"27,1,0\" data-index-in-node=\"0\">Strategy:<\/b> The attacker primarily exploited Arbitrum, swapped tokens for WETH via CoW Protocol, and bridged to Ethereum mainnet via Across Protocol.<\/p>\n<\/li>\n<\/ul>\n<h2 data-path-to-node=\"28\"><strong>Security Failures &amp; Industry Lessons<\/strong><\/h2>\n<p data-path-to-node=\"29\">This breach provides several critical takeaways for the DeFi community:<\/p>\n<ol start=\"1\" data-path-to-node=\"30\">\n<li>\n<p data-path-to-node=\"30,0,0\"><b data-path-to-node=\"30,0,0\" data-index-in-node=\"0\">Trustless Bridges are not always &#8220;Trustless&#8221;:<\/b> Gateway Validation must be strictly enforced.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"30,1,0\"><b data-path-to-node=\"30,1,0\" data-index-in-node=\"0\">Privileged Functions must be Restricted:<\/b> Use <code data-path-to-node=\"30,1,0\" data-index-in-node=\"45\">onlyGateway<\/code> or <code data-path-to-node=\"30,1,0\" data-index-in-node=\"60\">onlyRelayer<\/code> modifiers.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"30,2,0\"><b data-path-to-node=\"30,2,0\" data-index-in-node=\"0\">Guardian Thresholds:<\/b> Setting a threshold of 1 is inherently risky.<\/p>\n<\/li>\n<li>\n<p data-path-to-node=\"30,3,0\"><b data-path-to-node=\"30,3,0\" data-index-in-node=\"0\">Historical Context:<\/b> While 2025 saw security improvements, the CrossCurve incident, much like the recent <a href=\"https:\/\/cryip.co\/step-finance-treasury-breach\/\"><strong>Step Finance hack<\/strong><\/a>, shows that operational and logic errors remain the industry&#8217;s Achilles&#8217; heel. This event marks a rough start for February, following the wave of <a href=\"https:\/\/cryip.co\/crypto-hacks-and-scams-january-2026\/\"><strong>Crypto Hacks and Scams January 2026<\/strong><\/a>.<\/p>\n<\/li>\n<\/ol>\n<h4 data-path-to-node=\"31\"><strong>Current Status and Recovery<\/strong><\/h4>\n<p data-path-to-node=\"32\">CrossCurve has offered a <b data-path-to-node=\"32\" data-index-in-node=\"25\">10% bounty (~$144,000)<\/b> for the return of the funds under a &#8220;SafeHarbor WhiteHat&#8221; agreement. Major exchanges (KuCoin, MEXC, BitMart) are monitoring the hacker&#8217;s addresses.<\/p>\n<h4 data-path-to-node=\"1\"><b data-path-to-node=\"1\" data-index-in-node=\"0\"> Securing the Cross-Chain Future<\/b><\/h4>\n<p data-path-to-node=\"34\">The CrossCurve exploit is a textbook example of how a small oversight in &#8220;Message Validation&#8221; can lead to a multi-million dollar loss. The industry must move toward mandatory multi-guardian thresholds and strict gateway verification to prevent &#8220;spoofing&#8221; from remaining a viable attack vector in 2026.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The cross-chain landscape continues to be a primary target for sophisticated exploits. Between January 31 and February 1, 2026, CrossCurve (formerly known as the EYWA Protocol), a cross-chain liquidity bridge developed in collaboration with Curve Finance, became the latest victim. The protocol suffered a critical bridge exploit resulting in the loss of approximately $1.44 million [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":827,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jnews-multi-image_gallery":[],"jnews_single_post":{"format":"standard","jnews_video_option_group":[[]],"override":[{"template":"1","parallax":"1","fullscreen":"1","layout":"no-sidebar","sidebar":"default-sidebar","second_sidebar":"default-sidebar","sticky_sidebar":"1","share_position":"float","share_float_style":"share-normal","show_share_counter":"1","show_view_counter":"1","show_featured":"1","show_post_meta":"1","show_post_author":"1","show_post_date":"1","post_date_format":"default","post_date_format_custom":"Y\/m\/d","show_post_category":"1","post_reading_time_wpm":"300","post_calculate_word_method":"str_word_count","show_zoom_button":"0","zoom_button_out_step":"2","zoom_button_in_step":"3","show_post_tag":"1","show_popup_post":"1","number_popup_post":"1","show_post_related":"1"}],"image_override":[{"single_post_thumbnail_size":"crop-500","single_post_gallery_size":"crop-500"}],"trending_post_position":"meta","trending_post_label":"Trending","sponsored_post_label":"Sponsored by","disable_ad":"0","subtitle":"Inside the CrossCurve Exploit: A Technical Analysis of Message Spoofing"},"jnews_primary_category":[],"jnews_override_counter":{"view_counter_number":"0","share_counter_number":"0","like_counter_number":"0","dislike_counter_number":"0"},"footnotes":""},"categories":[32],"tags":[53],"class_list":["post-802","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-post-mortems","tag-crypto-hacks"],"image_feature":"https:\/\/cryip.co\/wp-content\/uploads\/2026\/02\/Screenshot-2026-02-04-at-7.03.04-PM.png","author_name":"Saravana Kumar Mahendran","pure_taxonomies":{"categories":[{"term_id":32,"name":"Post Mortems","slug":"post-mortems","term_group":0,"term_taxonomy_id":32,"taxonomy":"category","description":"When things break, we document the truth. Post Mortems include incident timelines, root cause analysis, contributing factors, and lessons that prevent repeats. We focus on actionable takeaways for users and teams, including security improvements, monitoring gaps, and safer operational practices. This category exists to help the ecosystem learn faster.\r\n","parent":25,"count":8,"filter":"raw","image":""}],"tags":[{"term_id":53,"name":"Crypto Hacks","slug":"crypto-hacks","term_group":0,"term_taxonomy_id":53,"taxonomy":"post_tag","description":"","parent":0,"count":128,"filter":"raw","image":""}]},"_links":{"self":[{"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/posts\/802","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/comments?post=802"}],"version-history":[{"count":4,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/posts\/802\/revisions"}],"predecessor-version":[{"id":899,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/posts\/802\/revisions\/899"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/media\/827"}],"wp:attachment":[{"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/media?parent=802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/categories?post=802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryip.co\/wp-json\/wp\/v2\/tags?post=802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}