CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages

The CrossCurve decentralized cross-chain bridge suffered a major security breach today, resulting in the theft of approximately $3 million in various digital assets. The exploit targeted the bridge’s message passing and validation mechanisms, allowing the attacker to effectively spoof official transaction messages across different integrated blockchains, including Ethereum, Polygon, and BNB Chain.

Preliminary forensic analysis indicates that the vulnerability centered on the bridge’s inability to adequately verify the legitimacy of cross-chain proofs. The attacker utilized this flaw to craft malicious messages that appeared to originate from the source chain, tricking the destination chain’s relayers into authorizing fraudulent mints or withdrawals of locked assets.

The initial attack vector was confirmed around 14:00 UTC. The stolen funds were primarily stablecoins and native tokens, aggregated and subsequently laundered through various mixing services. The $3 million figure represents the current estimated total loss across all affected pools.

In response to the attack, the CrossCurve team immediately announced the temporary suspension of all bridge functions to prevent further outflows and deployed emergency patches. They have engaged leading blockchain security auditors to conduct a comprehensive post-mortem analysis and are cooperating with law enforcement agencies. The protocol has committed to exploring remediation strategies, including potential fund recovery efforts and a detailed community reimbursement plan upon concluding the investigation.

Source: CrossCurve bridge exploited for approximately $3 million across multiple chains via spoofed messages