The exploit brought about losses on networks resembling Ethereum, Base, and Arbitrum.
The CrossCurve staff claimed to have contained the incident and traced the addresses concerned.
Replace: This be aware has been up to date to indicate the whole stolen funds as confirmed by CrossCurve’s X account.
An exploit revealed on February 1, 2026 affected the Cross Curve liquidity bridge related to the Ethereum Curve Finance decentralized alternate (DEX), inflicting estimated losses “of round USD 2.76 million throughout a number of networks”.
The hack was reported by BlockSec, an on-chain safety and evaluation agency. Nevertheless, within the afternoon of February 2, CrossCurve confirmed that the whole funds can be USD 1.4 million, divided into 10 completely different tokens. Additionally giving 72 hours for the hackers to contact the platform, earlier than resorting to authorized means.
Of the stolen whole reported by BlockSec, about USD 1.3 million was concentrated within the base layer of Ethereum and one other USD 1.28 million within the second layer (L2) Arbitrum community, as seen within the picture.
For its half, CrossCurve acknowledged on February 2 to have contained the assault. Boris Povar, CEO of that protocol, revealed an inventory with addresses that may have obtained a part of the stolen funds.
Containment, tracing and subsequent measures
On February 1, 2026, after studying of the safety incident, the Curve Finance staff public a warning to customers with oblique publicity to the affected protocol.
In accordance with Curve, customers who had allotted governance votes used to direct liquidity to swimming pools linked to CrossCurve (previously referred to as Eywa) might evaluate their positions and take into account withdrawing that help following the incident.
A day later, CrossCurve reported that the attacker managed to mine EYWA tokens from the bridge on the Ethereum community, however clarified that he couldn’t use them. In accordance with the staff, These funds have been frozen as a result of XT Change, the one web site with energetic deposits for EYWA, froze the tokens, stopping them from being offered or transferred.
In accordance with CrossCurve, EYWA tokens on the Arbitrum community stay secure.
Additionally they indicated that they made requests to centralized exchanges (KuCoin, MEXC, BingX, amongst others) to be certain that the attacker had no choices to promote or transfer the stolen belongingsthus avoiding its entry into circulation and an influence on the availability of the token.
How did the Curve Finance hack occur?
The incident occurred on the bridge cross-chain (bridge between chains) from CrossSurve. In easy phrases, the system was tricked into believing {that a} reputable switch existed from one other chain. By not verifying the origin, he launched funds that ought to by no means have gone out.
A bridge (or brigde in English) is an infrastructure that enables belongings to be moved between completely different networks.
To function, a cross-chain bridge locks funds on the supply community and orders the issuance or launch of belongings equivalents on the vacation spot community.
This intermediate step is supported by a message that certifies that the block truly occurred, so the system should confirm that mentioned message comes from the right chain. It’s essential to additionally verify that it has not been tampered with earlier than authorizing any motion.
In accordance with the BlockSec white paper, the failure was in a sensible contract referred to as ‘ReceiverAxelar’.
In that contract, a essential validation was skipped. This can be a verification meant to substantiate that the message obtained was genuine. Since this management doesn’t exist, the system accepted the cast message that pretended to come back from one other communityenabling operations that ought to by no means have been executed.
With these messages, the attacker invoked the ‘expressExecute’ perform, based on BlockSec. That decision prevented the examine of the gateway or bridge entrance door and immediately activated the unauthorized unlocking of tokens.
In accordance with BlockSec, the affected contract was PortalV2, which guarded the bridge’s liquidity.
CrossCurve reported that they’re finishing up a full investigation to offer extra particulars in regards to the exploit.
