CrossCurve is giving wallet holders 72 hours to return stolen funds after a smart contract exploit drained millions from its cross-chain bridge.
Quick Summary – TLDR:
- CrossCurve lost about $3 million due to a smart contract vulnerability in its token bridge.
- Ten Ethereum wallets have been identified as recipients of the stolen funds.
- The company is offering a 10 percent bounty to encourage non-malicious return of funds.
- If unreturned within 72 hours, CrossCurve vows to pursue legal action and asset freezes.
What Happened?
Decentralized finance protocol CrossCurve, previously known as EYWA, suffered a major exploit over the weekend after a vulnerability in its smart contract code was used to steal funds. The breach affected the protocol’s cross-chain bridge, which is responsible for moving tokens between different blockchain networks.
Roughly $3 million was drained across multiple networks including Ethereum, Arbitrum, Optimism, Base, and more. CrossCurve has since issued a 72-hour ultimatum to the wallet holders who received the funds, offering a white-hat bounty if they return the assets voluntarily.
⚠️ URGENT Security Notice
— CrossCurve (@crosscurvefi) February 1, 2026
Dear users,
Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used.
Please pause all interactions with CrossCurve while the investigation is ongoing.
We appreciate your patience and… pic.twitter.com/yfo1KvWoDd
CrossCurve Identifies Wallets, Demands Cooperation
The CrossCurve team acted quickly after the exploit. CEO Boris Povar confirmed that ten Ethereum addresses were identified as holding the misappropriated funds. He stated that the breach was the result of a smart contract vulnerability that allowed a bad actor to send a fake cross-chain message, bypassing security checks and triggering token releases.
According to CrossCurve, there is no initial evidence that the fund recipients acted with intent to steal.
Povar said:
Despite the diplomatic tone, the company made it clear that consequences will follow if funds are not returned or if wallet owners fail to respond. A 10 percent bounty is being offered under the SafeHarbor white-hat policy, meaning the wallet owners can keep 10 percent of the assets if they return the rest.
Legal Threats If Deadline Missed
CrossCurve’s warning was unambiguous. If the 72-hour deadline passes without fund recovery or meaningful contact, the team will assume malicious intent and take aggressive legal steps.
These include:
- Filing criminal complaints.
- Initiating civil litigation.
- Working with exchanges and USDC issuer Circle to freeze assets.
- Publishing wallet addresses and detailed transaction records.
- Cooperating with law enforcement and blockchain analytics firms.
The announcement was made via CrossCurve’s official X (formerly Twitter) account and has sparked widespread attention within the crypto community. Experts from blockchain security firms like BlockSec and Defimon Alerts have also weighed in, estimating losses between $2.76 million and $3 million.
BlockSec broke down the damage across various chains:
- $1.3 million on Ethereum
- $1.28 million on Arbitrum
- Remaining losses scattered across Optimism, Base, Mantle, Kava, Frax, Celo, and Blast
CrossCurve Emphasizes Transparency
In a rare move, CrossCurve made the ten wallet addresses public, aiming to apply pressure while also giving the holders a chance to come forward. The company’s use of SafeHarbor signals a willingness to resolve the situation peacefully if possible, but its legal warnings show it is fully prepared to escalate.
This strategy mirrors previous cases in DeFi where some exploiters, once contacted and incentivized with bounties, have returned funds voluntarily. However, the clock is ticking fast for these wallet holders.
SQ Magazine Takeaway
As someone who’s followed DeFi hacks over the years, I find CrossCurve’s response to be a textbook example of how to handle an exploit fast and firmly. They’re offering a way out for those who may not have acted maliciously, but they’re not messing around when it comes to protecting users and funds. This hack also highlights the critical need for stronger security audits in cross-chain bridges, which remain one of the weakest links in decentralized finance. If you’re building in Web3, take notes.
