CrossCurve bridge loses about $3M after spoofed cross‑chain messages bypass validation

CrossCurve, a decentralized cross‑chain liquidity protocol, confirmed its cross‑chain bridge was attacked, with on‑chain data and Defimon Alerts reporting losses of about $3 million across multiple networks. Security monitors said the exploit targeted a smart‑contract vulnerability that allowed spoofed cross‑chain messages to bypass gateway validation.

Defimon Alerts explained the flaw let anyone call expressExecute on the ReceiverAxelar contract with a spoofed message, triggering unlocks on the PortalV2 contract. CrossCurve posted on X urging users to pause all interactions while it investigates. The protocol said it identified 10 wallet addresses that received tokens from the exploit and described the tokens as wrongfully taken from users, adding it does not believe the recipients acted intentionally.

CrossCurve invoked its SafeHarbor WhiteHat policy and offered a bounty of up to 10% for funds returned by cooperating parties. The incident adds to a wider surge in crypto thefts: the article cites nearly $400 million stolen in January 2026 and more than 40 major security incidents that month per CertiK, following 2025 losses that exceeded $1 billion.

crosscurve, cross-chain bridge exploit, spoofed cross-chain messages, smart contract vulnerability, receiveraxelar contract, portalv2 contract, safeharbor whitehat policy, 10% bounty offer, 10 wallet addresses, defimon alerts, certik security incidents, january 2026 thefts