It looks like the authors of EYWA have stepped on the same rake again.
The decentralized finance protocol CrossCurve, formerly known as EYWA, has reported a serious vulnerability in its smart contract responsible for cross-chain transfers. As a result of the attack, an attacker was able to transfer user assets to several third-party addresses.
The incident occurred on Sunday. According to the project team, the exploit was related to a bug in smart contract logic that allowed the verification of messages between blockchains to be bypassed. A few hours after the attack was discovered, CrossCurve CEO Boris Povar clarified that they had identified ten Ethereum addresses to which the assets had been transferred.
According to Povar, the funds were withdrawn not due to user error, but due to a vulnerability, and the team has no reason to believe the actions of the address holders were malicious. However, he emphasized that if there is no feedback or refund within 72 hours, the team will consider the situation intentional and will pursue legal action.
Possible measures include contacting law enforcement agencies, filing civil lawsuits, working with cryptocurrency exchanges to freeze assets, publishing wallet and transaction data, and collaborating with blockchain analytics companies.
Damage estimates vary. According to the Defimon Alerts project, affiliated with Decurity, the total losses are approximately $3 million. The attacker exploited a vulnerability in the bridge logic and sent a bogus message, which was accepted as genuine. This resulted in the assets being unblocked.
BlockSec estimated the total losses at $2.76 million. Of this amount, $1.3 million was attributed to the Ethereum network, and $1.28 million to Arbitrum. Other blockchains were also affected , including Optimism, Base, Mantle, Kava, Frax, Celo, and Blast. According to experts, the root cause of the problem is a lack of proper message verification, which allowed fake transactions to be processed.
Analysts emphasize that the security of cross-chain connections still depends on a single verification channel. If it is bypassed, the entire trust model is destroyed. The problem arose not in the core Axelar protocol, but on the message-receiving side, where CrossCurve used its own implementation without sufficient data authentication.
A similar approach has already led to attacks, notably in the Nomad protocol hackin 2022. Analysts point out that the greatest threat to bridges comes from custom components and the lack of strict validation, especially with high liquidity concentrations.
The decentralized finance protocol CrossCurve, formerly known as EYWA, has reported a serious vulnerability in its smart contract responsible for cross-chain transfers. As a result of the attack, an attacker was able to transfer user assets to several third-party addresses.
The incident occurred on Sunday. According to the project team, the exploit was related to a bug in smart contract logic that allowed the verification of messages between blockchains to be bypassed. A few hours after the attack was discovered, CrossCurve CEO Boris Povar clarified that they had identified ten Ethereum addresses to which the assets had been transferred.
According to Povar, the funds were withdrawn not due to user error, but due to a vulnerability, and the team has no reason to believe the actions of the address holders were malicious. However, he emphasized that if there is no feedback or refund within 72 hours, the team will consider the situation intentional and will pursue legal action.
Possible measures include contacting law enforcement agencies, filing civil lawsuits, working with cryptocurrency exchanges to freeze assets, publishing wallet and transaction data, and collaborating with blockchain analytics companies.
Damage estimates vary. According to the Defimon Alerts project, affiliated with Decurity, the total losses are approximately $3 million. The attacker exploited a vulnerability in the bridge logic and sent a bogus message, which was accepted as genuine. This resulted in the assets being unblocked.
BlockSec estimated the total losses at $2.76 million. Of this amount, $1.3 million was attributed to the Ethereum network, and $1.28 million to Arbitrum. Other blockchains were also affected , including Optimism, Base, Mantle, Kava, Frax, Celo, and Blast. According to experts, the root cause of the problem is a lack of proper message verification, which allowed fake transactions to be processed.
Analysts emphasize that the security of cross-chain connections still depends on a single verification channel. If it is bypassed, the entire trust model is destroyed. The problem arose not in the core Axelar protocol, but on the message-receiving side, where CrossCurve used its own implementation without sufficient data authentication.
A similar approach has already led to attacks, notably in the Nomad protocol hackin 2022. Analysts point out that the greatest threat to bridges comes from custom components and the lack of strict validation, especially with high liquidity concentrations.
