CrossCurve, a cross-chain liquidity protocol, recently experienced a significant security incident that resulted in the loss of approximately $3 million worth of assets across multiple blockchains, including Ethereum and Arbitrum.

This incident was caused by a flaw in the cross-chain message delivery and verification logic, allowing attackers to bypass critical validation steps and execute unauthorized asset transfers.

Affected Contracts

The following contracts were involved in the incident:

PortalV2 https://etherscan.io/address/0xac8f44ceca92b2a4b30360e5bd3043850a0ffcbe

ReceiverAxelar (Primary Attack Vector) https://etherscan.io/address/0xb2185950f5a0a46687ac331916508aada202e063

Technical Root Cause Analysis

The vulnerability originated in the ReceiverAxelar contract, specifically in its handling of cross-chain message execution.

Under normal conditions, cross-chain messages relayed through Axelar must be validated by the Axelar Gateway to ensure that:

  • The message originated from the correct source chain
  • The sender address is authentic
  • The globally unique command ID has not been reused or forged

This validation is typically enforced using Axelar’s validateContractCall() function.

However, when the expressExecute() function was invoked, the ReceiverAxelar contract failed to call validateContractCall(). Instead, it proceeded directly to internal execution logic.

The only verification performed was a basic sender allowlist check using an address book. This incomplete validation allowed attackers to forge both the source chain identifier (chainIdFrom) and the sender address, enabling arbitrary execution of protocol logic.

Exploit Execution Flow

By bypassing gateway-level verification, the attacker crafted malicious cross-chain payloads and triggered internal state transitions using the following execution path:

expressExecute → Receiver.receiveData → CoreFacet.resume → PortalV2.unlock → Unauthorized asset transfers

Since the message was never cryptographically validated, the protocol incorrectly trusted forged cross-chain instructions.

Article content

Impact Assessment

The exploit resulted in:

  • Approximately $3 million in stolen assets
  • Losses across Ethereum and Arbitrum
  • Unauthorized unlocking and transfer of protocol-held funds

Common Cross-Chain Attack Vectors to Secure Against

This incident reflects several well-known cross-chain attack vectors that protocols must actively defend against:

  1. Missing Gateway Validation Any execution path that processes cross-chain messages without mandatory gateway verification can be exploited using forged payloads.
  2. Trusting Sender Allowlists Alone Allowlists do not guarantee message authenticity. Without cryptographic proof verification, sender checks are insufficient.
  3. Bypassing Command ID Uniqueness Failure to validate globally unique command IDs allows replay or spoofed cross-chain calls.
  4. Express or Fast-Path Execution Risks Optimized execution paths often skip critical security checks, making them high-risk attack surfaces.
  5. Implicit Trust in Cross-Chain Payloads All decoded payload data must be treated as untrusted input until fully verified.

Secure Cross-Chain Design Recommendations

To prevent similar incidents, cross-chain protocols should enforce the following security principles:

  • Mandatory gateway verification for every execution path
  • No distinction between “express” and “standard” execution when it comes to validation
  • Strict verification of source chain, sender, and command ID uniqueness
  • Defense-in-depth checks before unlocking or transferring assets
  • Regular adversarial testing focused on cross-chain message forgery

Incident Response and Mitigation

Following the discovery of the exploit, the CrossCurve team:

  • Announced a bounty and asset recovery initiative
  • Identified and locked ten wallet addresses associated with the attacker and suspicious fund flows
  • Initiated active measures to block further unauthorized asset movement
Article content

Security Support and Asset Protection

For protocols building or operating cross-chain infrastructure, proactive security reviews are essential.

Safe Edges specializes in advanced cross-chain security audits, exploit simulation, and asset protection strategies. The team has extensive experience identifying message forgery, gateway bypass, and asset-unlock vulnerabilities before they reach production.

For security audits, incident response, or asset protection support, contact: https://safeedges.in/contact

Early security intervention remains the most effective way to prevent irreversible asset loss in cross-chain systems.

1 COMMENT

  1. Cross-chain protocols are great for interoperability, but this incident highlights how even small vulnerabilities in message handling can lead to major losses. I think we’ll see more emphasis on robust auditing and testing in the future to mitigate these risks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here