An exploit revealed on February 1, 2026 affected the Cross Curve liquidity bridge related to the Ethereum Curve Finance decentralized alternate (DEX), inflicting estimated losses “of round USD 2.76 million throughout a number of networks”.
The hack was reported by BlockSec, an on-chain safety and evaluation agency.
Of the full stolen, about USD 1.3 million was concentrated within the base layer of Ethereum and one other USD 1.28 million within the second layer (L2) Arbitrum community, as seen within the following picture:
For its half, CrossCurve said on February 2 to have contained the assault. Boris Povar, CEO of that protocol, revealed an inventory with addresses that will have acquired a part of the stolen funds.
Containment, tracing and subsequent measures
On February 1, 2026, after studying of the safety incident, the Curve Finance crew public a warning to customers with oblique publicity to the affected protocol.
In accordance with Curve, customers who had allotted governance votes used to direct liquidity to swimming pools linked to CrossCurve (previously referred to as Eywa) may assessment their positions and think about withdrawing that help following the incident.
A day later, CrossCurve reported that the attacker managed to mine EYWA tokens from the bridge on the Ethereum community, however clarified that he couldn’t use them. In accordance with the crew, These funds had been frozen as a result of XT Trade, the one web site with energetic deposits for EYWA, froze the tokens, stopping them from being bought or transferred.
In accordance with CrossCurve, EYWA tokens on the Arbitrum community stay secure.
Additionally they indicated that they made requests to centralized exchanges (KuCoin, MEXC, BingX, amongst others) to be certain that the attacker had no choices to promote or transfer the stolen propertythus avoiding its entry into circulation and an impression on the provision of the token.
How did the Curve Finance hack occur?
The incident occurred on the bridge cross-chain (bridge between chains) from CrossSurve. In easy phrases, the system was tricked into believing {that a} authentic switch existed from one other chain. By not verifying the origin, he launched funds that ought to by no means have gone out.
A bridge (or brigde in English) is an infrastructure that permits property to be moved between totally different networks.
To function, a cross-chain bridge locks funds on the supply community and orders the issuance or launch of property equivalents on the vacation spot community.
This intermediate step is supported by a message that certifies that the block really occurred, so the system should confirm that stated message comes from the right chain. You could additionally verify that it has not been tampered with earlier than authorizing any motion.
In accordance with the BlockSec white paper, the failure was in a sensible contract referred to as ‘ReceiverAxelar’.
In that contract, a crucial validation was skipped. This can be a verification meant to verify that the message acquired was genuine. Since this management doesn’t exist, the system accepted the cast message that pretended to come back from one other communityenabling operations that ought to by no means have been executed.
With these messages, the attacker invoked the ‘expressExecute’ perform, in accordance with BlockSec. That decision prevented the examine of the gateway or bridge entrance door and immediately activated the unauthorized unlocking of tokens.
In accordance with BlockSec, the affected contract was PortalV2, which guarded the bridge’s liquidity.
CrossCurve reported that they’re finishing up a full investigation to offer extra particulars in regards to the exploit.
