How Does CrossCurve Work?

Consensus Bridge: cross-chain messages validated through Axelar, LayerZero, and EYWA Oracle Network in parallel

CrossCurve routes cross-chain transactions through multiple independent validation protocols to reduce single points of failure. However, the February 2026 exploit showed that a bypass in just the Axelar pathway (ReceiverAxelar.expressExecute) was sufficient to drain funds.

PortalV2: lock-and-mint bridge contract holding cross-chain liquidity across Ethereum, Arbitrum, Optimism, BSC, Polygon

Standard lock-and-mint pattern where tokens are locked on the source chain and minted/unlocked on the destination. PortalV2 was the contract drained from ~$3M to near zero in the exploit.

Cross-chain Curve pool access: routes swaps through Curve's stableswap pools across multiple chains

CrossCurve provides seamless access to Curve Finance pools across chains, tapping into $2.7B+ of Curve TVL. Novel cross-chain DEX aggregation pattern built specifically for Curve ecosystem.

EYWA Oracle Network: proprietary oracle validators providing cross-chain state proofs

CrossCurve operates its own oracle network (inherited from EYWA Protocol rebrand) alongside Axelar and LayerZero. Custom oracle with smaller validator set than established networks.

Relayer fee model for cross-chain message delivery across supported chains

Standard relayer-based fee model for delivering cross-chain messages. Relayers are paid per message to facilitate bridge operations.

Percentage-based bridge fees on cross-chain swap volume ($1.85B annual volume)

Standard percentage fee on each cross-chain swap. Protocol generated revenue from $1.85B in trading volume in its first year.

Cross-chain yield farming: LP rewards for providing liquidity in CrossCurve-connected Curve pools

LPs earn yield from both Curve pool fees and CrossCurve bridge fees. Liquidity mining incentives to attract cross-chain liquidity providers.

The expressExecute function in ReceiverAxelar allowed anyone to call it with a spoofed cross-chain message, bypassing the intended Axelar gateway validation. This triggered unauthorized token unlocks on PortalV2, draining $3M across multiple chains in February 2026.

Despite routing through three independent validation layers (Axelar, LayerZero, EYWA Oracle), a validation bypass in just the Axelar pathway was sufficient to drain funds. The 'consensus' model provided false security because each pathway could independently authorize unlocks.

CrossCurve pools are connected to Curve Finance's $2.7B TVL. A bridge exploit that manipulates token balances across chains could create imbalanced Curve pools, causing impermanent loss for uninvolved LPs in connected Curve pools.

CrossCurve depends on three separate oracle/messaging networks with different security models and trust assumptions. A compromise of any single network is sufficient to forge messages, and coordinating security patches across three protocols is operationally complex.

The 10% bounty offered post-exploit relies on attacker cooperation. If the attacker launders funds through mixers (as commonly occurs), the protocol has no recovery mechanism. The CEO identified 10 Ethereum addresses but has no enforcement power.