Update: This note has been updated to show the total amount of stolen funds identified in CrossCurve’s X account.
The exploit, disclosed on February 1, 2026, affected the Cross Curve liquidity bridge associated with Ethereum’s decentralized exchange (DEX) Curve Finance, resulting in estimated losses in initial reports. “Approximately US$2.76 million across multiple networks.”.
The hack was reported by BlockSec, an on-chain security and analytics company.
As seen in the image, approximately $1.3 million of the total amount stolen was concentrated in Ethereum’s base layer, and an additional $1.28 million in the second layer (L2) Arbitrum network.
However, on the afternoon of February 2nd, CrossCurve has confirmed that the total funding will be USD 1.4 million and will be split into 10 different tokens. It also gives hackers 72 hours to contact the platform before resorting to legal action.
In that respect, this company said The attack was contained on February 2nd.. Boris Povall, the protocol’s CEO, published a list of addresses that may have received some of the stolen funds.
Containment, tracing and follow-up measures
On February 1, 2026, after learning of the security incident. curve finance team public Warning to users If you are indirectly exposed to the affected protocols.
According to Curve, users who had allocated governance votes to direct liquidity to pools linked to CrossCurve (formerly Eywa) were able to review their positions and consider withdrawing their support following the incident.
The next day, CrossCurve reported that it revealed that the attackers were able to successfully mine EYWA tokens from bridges on the Ethereum network, but were unable to use them. According to the team: those funds were frozen This is because XT Exchange, the only site with active EYWA deposits, has frozen the tokens, making them unable to be sold or transferred.
According to CrossCurve, EYWA tokens on the Arbitrum network remain secure.
They also indicated that they required centralized exchanges (such as KuCoin, MEXC, and BingX) to: Ensure attackers have no option to sell or move stolen assetsthus avoiding entry into circulation and impacting the supply of tokens.
How did the Curve Finance hack happen?
The incident happened on the bridge cross chain (bridge between chains) From CrossSurve. Simply put, The system was tricked into believing there was a legitimate transfer from another chain. By not checking the source, they released funds that should not have been released.
bridge (or bridge (English) is an infrastructure that allows assets to be moved between different networks.
To operate, a cross-chain bridge locks the funds on the source network, order the issuance or release of assets; An equivalent on the destination network.
This intermediate step is supported by a message that proves that the block actually occurred, so the system must verify that the message is from the correct chain. You must also ensure that it has not been tampered with before allowing movement.
According to the BlockSec white paper: The failure was in the smart contract It is called “Receiver Axelar”.
That contract omitted important verification. This is a verification aimed at confirming that the message received is genuine. Since this control does not exist, The system accepted a forged message pretending to come from another networkallowing operations that should not be performed.
According to BlockSec, the attacker used these messages to call the “expressExecute” function. This call causes gateway or directly activated the unauthorized unlocking of the token by accessing the bridge entrance door.
According to BlockSec, the affected contract was PortalV2, which protects bridge liquidity.
CrossCurve reported that they are conducting a thorough investigation to provide more details about this exploit.
(Tag translation) Smart contract
