Update (February 2, 12:20 UTC): This article has been updated to include a post by CrossCurve CEO Boris Povar.
Crypto protocol CrossCurve said its cross-chain bridge was attacked and $3 million was reportedly stolen across multiple networks.
Cross curve sent to X that his bridge was “attacked late Sunday evening, which involved the exploitation of a security vulnerability in one of the smart contracts in use.”
“Please suspend all interactions with CrossCurve while the investigation continues,” he added.
Defimon Alerts, an X account associated with blockchain security company Decurity, reported that CrossCurve was used for approximately $3 million “across several networks.”
He added that one of CrossCurve’s intelligent contracts allowed anyone to spoof messages to bypass verification and unlock tokens.
“Anyone can invoke expressExecute on the Axelar receiving contract with a spoofed cross-chain message, bypassing gateway verification and triggering unlock on PortalV2,” Defimon Alerts said.
Curve Finance, which has established cooperation with CrossCurve, sent to X that users who have contributed to CrossCurve pools “may wish to review their positions and consider removing these votes.”
“We continue to encourage all participants to remain vigilant and make informed decisions when interacting with third-party projects,” he added.
CrossCurve offers a 10% reward if funds are returned within 72 hours
In an attempt to contact the attacker, CrossCurve CEO Boris Povar common According to him, 10 addresses received tokens as a result of the exploit and offered a reward for returning them within 72 hours.
“These tokens were unlawfully taken away from users as a result of the use of a smart contract. We do not believe this was intentional on your part and there is no indication of malicious intent,” he said. “We hope for your cooperation in refunding the funds.”
Povar offered up to a 10% reward if the funds were returned within 72 hours of the attack.
Related: Breach of Step Finance’s treasury portfolios, outflow of $27 million from SOL as a result of STEP’s 90% failure
“If funds are not returned or contact is not made within 72 hours, we will have to assume that there was malicious intent and treat it as a legal matter,” he added.
Povar said CrossCurve is willing to cooperate with law enforcement, file civil lawsuits to recover damages, and coordinate with authorities and other crypto projects to freeze assets if funds are not returned.
Warehouse: Meet the onchain cryptocurrency detectives who fight crime better than cops
