Overview
- CrossCurve publicly identified ten Ethereum addresses tied to the hack and gave a 72-hour window to return funds before pursuing criminal referrals, civil litigation, exchange freezes, and broader enforcement steps.
- Security firms estimate losses at roughly $2.76–$3 million across several chains, though CrossCurve has not confirmed a final figure for affected funds.
- Analysts attribute the breach to insufficient authentication in CrossCurve’s custom ReceiverAxelar contract, which let attackers bypass checks and execute fabricated messages to release assets.
- On-chain data shows the PortalV2 contract balance fell from about $3 million to near zero on January 31, with activity traced across networks including Ethereum and Arbitrum.
- CrossCurve urged users to halt interactions as it works with security partners, and Curve Finance advised participants with EYWA-linked pool exposure to reassess positions while the probe continues with no timeline for remediation.