The CrossCurve $3M Bridge Exploit: How One Missing Check Let Attackers Forge Cross-Chain Messages

The CrossCurve $3M Bridge Exploit How a single missing access control check let an attacker forge cross-chain messages — and the 4-layer defense every bridge must implement On February 1, 2026, the CrossCurve bridge (formerly EYWA) lost approximately $3 million across Arbitrum, Ethereum, and several other chains. The root cause wasn't a sophisticated flash loan or a novel cryptographic attack — it was a publicly callable function with insufficient input validation. This is one of those exploits that makes auditors wince, because the fix is obvious in hindsight. But it reveals a systemic problem in cross-chain bridge architecture that goes far beyond one protocol. Background: How CrossCurve's Bridge Worked CrossCurve used Axelar's General Message Passing (GMP) to relay cross-chain messages. The architecture looked like this: Source Chain Destination Chain ┌─────────┐ Axelar GMP ┌──────────────────┐ │ Portal │ ──────────────► │ ReceiverAxelar │ │ (lock) │ commandId + │ (validate + exec)