This report summarizes the $1.4M exploit of the CrossCurve protocol, caused by a critical implementation flaw in its cross-chain messaging logic. The attacker abused a publicly callable execution function combined with weak validation, allowing them to inject a malicious payload and mint a massive supply of EYWA tokens. By bypassing intended authentication checks, the exploit was repeated across multiple chains, with Arbitrum absorbing the majority of the losses.
How the Attack Worked?
The attacker began by generating a fresh commandId and spoofing the sourceChain and sourceAddress to make the transaction appear like a legitimate cross-chain message. They then crafted a malicious ABI-encoded payload containing instructions to mint or transfer nearly 999.8M EYWA tokens to their own wallet.
This payload was executed by directly calling the expressExecute() function. The contract’s validation logic only checked whether the provided commandId had already been used. Since the attacker supplied a new identifier, the check passed.
Compounding the issue, the confirmation threshold was set to 1, effectively disabling multi-guardian verification. With no additional authentication required, the contract decoded and executed the attacker-controlled payload, updated internal state to simulate a valid cross-chain receipt, and transferred the tokens to the attacker’s EOA.
The same process was repeated across multiple networks, allowing the attacker to scale the exploit rapidly.
Root Cause: Weak Cross-Chain Access Control
At the core of the exploit was a critical access control flaw in CrossCurve’s Axelar integration, specifically within the ReceiverAxelar contract. The expressExecute() function — designed for expedited cross-chain execution — was publicly callable and lacked sufficient source validation.
Relying solely on commandId uniqueness and configuring the confirmation threshold to one removed meaningful security guarantees. Together, these design decisions allowed arbitrary payload execution without legitimate cross-chain authorization.
Want to know more?
We’ve published a detailed technical breakdown covering the full attack flow, root cause analysis and mitigation steps — Cross Curve Exploit 2026
Funds Flow After the Exploit
Most malicious activity occurred on Arbitrum, where the attacker gradually converted stolen tokens into WETH using the CoW Protocol. The funds were later bridged to Ethereum via the Across Protocol. While the attacker managed to mint EYWA on Ethereum as well, the lack of liquidity and frozen CEX deposits prevented further liquidation. As of reporting, most stolen assets remain in attacker-controlled wallets.
Key Takeaway
The CrossCurve incident highlights how implementation bugs and misconfigured cross-chain validation can be just as dangerous as classic smart contract vulnerabilities. Public execution paths, weak authentication, and disabled quorum checks create an ideal environment for large-scale exploits — especially on L2s.
For teams building or deploying on Arbitrum, secure your Arbitrum projects by treating cross-chain logic as a first-class attack surface, not a peripheral integration.
Top comments (0)