An exploit disclosed on February 1, 2026 affected the Cross Curve Liquidity Bridge related to the Ethereum Curve Finance Decentralized Trade (DEX), inflicting estimated losses. “Roughly US$2.76 million throughout a number of networks.”.
The hack was reported by BlockSec, an on-chain safety and analytics firm.
As proven within the following picture, of the entire quantity stolen, roughly USD 1.3 million was concentrated in Ethereum’s base layer, and an extra USD 1.28 million was concentrated in Arbitrum’s Layer 2 (L2) community.
In that respect, cross curve stated The assault was contained on February 2nd.. Boris Povall, the protocol’s CEO, printed an inventory of addresses which will have acquired a few of the stolen funds.
Containment, tracing and follow-up measures
On February 1, 2026, after studying of the safety incident. curve finance group public Warning to customers If you’re not directly uncovered to the affected protocols.
In keeping with Curve, customers who had allotted governance votes to direct liquidity to swimming pools linked to CrossCurve (previously Eywa) had been capable of evaluation their positions and think about withdrawing their assist following the incident.
The following day, CrossCurve reported that it revealed that the attackers had been capable of efficiently mine EYWA tokens from bridges on the Ethereum community, however had been unable to make use of them. In keeping with the group: these funds had been frozen It is because XT Trade, the one website with lively EYWA deposits, has frozen the tokens, making them unable to be bought or transferred.
In keeping with CrossCurve, EYWA tokens on the Arbitrum community stay safe.
In addition they indicated that they required centralized exchanges (reminiscent of KuCoin, MEXC, and BingX) to: Guarantee attackers don’t have any choice to promote or transfer stolen belongingsthus avoiding entry into circulation and impacting the provision of tokens.
How did the Curve Finance hack occur?
The incident occurred on the bridge cross chain (bridge between chains) From CrossSurve. Merely put, The system was tricked into believing there was a reputable switch from one other chain. By not checking the supply, they launched funds that ought to not have been launched.
bridge (or bridge (English) is an infrastructure that enables belongings to be moved between completely different networks.
To function, a cross-chain bridge locks the funds on the supply community, order the issuance or launch of belongings; An equal on the vacation spot community.
This intermediate step is supported by a message that proves that the block really occurred, so the system should confirm that the message is from the right chain. You will need to additionally make sure that it has not been tampered with earlier than permitting motion.
In keeping with the BlockSec white paper: The failure was within the good contract It’s known as “Receiver Axelar”.
That contract omitted necessary verification. It is a verification geared toward confirming that the message acquired is real. Since this management doesn’t exist, The system accepted a cast message pretending to return from one other communitypermitting operations that shouldn’t be carried out.
In keeping with BlockSec, the attacker used these messages to name the “expressExecute” operate. This name causes gateway or straight activated the unauthorized unlocking of the token by accessing the bridge entrance door.
In keeping with BlockSec, the affected contract was PortalV2, which protects bridge liquidity.
CrossCurve reported that they’re conducting a radical investigation to offer extra particulars about this exploit.
