CrossCurve, a DeFi protocol formerly known as EYWA, says its cross-chain bridge was exploited in a smart contract attack, draining roughly $3 million across Ethereum, Arbitrum, Optimism, Base and other networks.

The incident confirms a bridge attack and losses of about $3 million across multiple networks, underscoring ongoing cross-chain security risks.

Analysts warn that cross-chain security remains vulnerable when receivers rely on bespoke validation logic, highlighting the need for robust authenticity verification before cross-chain actions.

CrossCurve publicly shared ten wallet addresses that received the stolen funds and signaled openness to a peaceful resolution, while reserving the right to pursue legal steps if needed.

CEO Boris Povar said there was no initial sign of malicious intent by the recipients, attributing the breach to a smart contract vulnerability that allowed a fake cross-chain message to trigger token releases.

CrossCurve has not released an official loss figure beyond identifying addresses and warning of legal action if funds aren’t returned.

Independent analyses from Defimon Alerts and BlockSec point to a fake cross-chain message and weak validation as core factors driving the attack.

This event is part of a broader surge in crypto thefts in early 2026, with hundreds of millions stolen in January and more than 40 major security incidents that month.

CrossCurve issued a 72-hour ultimatum, identifying the ten addresses and threatening legal and enforcement actions, including criminal referrals and asset freezes, if funds are not returned or contact is made.

If no contact is established or funds are not returned within the window from a specific block, the incident would be escalated through criminal referrals, civil litigation, asset freezes via exchanges, and public wallet disclosures.

The company warned that failure to cooperate would lead to malicious-actor labeling and aggressive action across legal channels and enforcement coordination.

Experts compare the breach to prior bridge incidents, noting the weakest link is often the destination-chain receiver contract rather than the messaging protocol.