CrossCurve, the decentralized finance protocol previously known as EYWA, has moved from damage control to open confrontation after a multi-million dollar exploit of its cross-chain bridge. The team says it has identified ten Ethereum wallets that received funds from the attack and is now threatening both civil and criminal proceedings if the money is not returned.
According to the project’s statement, the incident occurred on Sunday when an attacker exploited a vulnerability in one of the smart contracts powering its token transfer system. This cross-chain bridge is designed to allow users to seamlessly move assets between different blockchains—a critical piece of infrastructure in today’s DeFi ecosystem, and historically one of its weakest points in terms of security.
CrossCurve’s internal investigation suggests that approximately $3 million worth of tokens were siphoned from users through the flawed contract. The team says the exploit did not stem from user error or private key compromise, but from a specific logical weakness in the protocol’s smart contract architecture, which the attacker managed to manipulate.
Several hours after disclosing the breach, CrossCurve CEO Boris Povar announced that the protocol had traced the flow of funds to ten Ethereum addresses. On-chain analysis apparently allowed the team to follow the movement of the stolen tokens and cluster them into a small group of recipients that they believe are directly or indirectly linked to the exploit.
In an unusual twist, Povar chose to publicly address the holders of those wallets with a relatively conciliatory tone. He acknowledged that the tokens had been “wrongfully taken from users due to a smart contract exploit,” but added that the team does not currently see clear evidence that the owners of the identified addresses acted with explicit malicious intent. In other words, the project is leaving open the possibility that some addresses could belong to intermediaries, sophisticated arbitrageurs, or even automated systems that interacted with the tainted funds after the fact.
Despite this softer framing, CrossCurve made it clear that it expects the funds to be returned. The team has issued a 72-hour deadline for any communication from the owners of the wallets in question and is demanding either the full return of the tokens or an agreement that would compensate affected users. If there is no response within that window, the project says it will escalate the matter.
Povar’s message explicitly referenced potential criminal and civil action. While the exact jurisdictions were not specified, such language typically signals that a project is prepared to involve law enforcement agencies, cybersecurity firms, and legal counsel to build a case around theft, fraud, or unauthorized access. In similar past incidents across the DeFi space, teams have engaged regulators, police, and international investigative bodies to track and freeze assets, especially once attackers attempt to route funds through centralized exchanges or fiat off-ramps.
The protocol’s statement also implies that the team is compiling a thorough dossier of evidence. This likely includes transaction histories, timing correlations, behavioral patterns on-chain, and any attempted interactions with exchanges or other DeFi platforms. Such data can be used not only for legal action, but also to flag the suspect wallets across the broader crypto ecosystem, making it more difficult for the attacker to liquidate or move the funds unnoticed.
CrossCurve has not disclosed in detail how the exploited vulnerability worked, citing ongoing investigation and security review. However, it did confirm that the issue was tied to one specific smart contract used in its cross-chain bridge infrastructure. As a result, the team says it has temporarily halted or restricted affected bridge operations while auditors and in-house developers conduct a full code review and patch deployment.
For users, the immediate concern is whether lost funds will be reimbursed. CrossCurve has not yet given a final commitment on compensation, emphasizing instead its priority of recovering assets from the identified wallets. In previous DeFi exploits, outcomes have ranged from full recovery and restitution, to partial coverage from project treasuries or insurance funds, to users bearing the full loss when neither recovery nor internal compensation was possible.
The incident underscores the persistent fragility of cross-chain bridges, which have repeatedly been targeted as high-value honeypots. Bridges often manage large pooled liquidity across multiple networks, and even a single overlooked edge case in contract logic can open the door to catastrophic drains. For attackers, the payoff can be huge; for protocols, one successful exploit can erase months or years of reputational and financial capital.
In this context, CrossCurve’s hardline stance on potential legal action is part of a broader shift in the industry. Early in DeFi’s history, many hacks ended in “white-hat negotiations,” where attackers returned most of the funds in exchange for a so-called bounty and informal immunity from consequences. Today, as regulatory scrutiny increases and law enforcement becomes more adept at tracing on-chain activity, projects are more willing to publicly threaten lawsuits and criminal complaints, especially for large-scale exploits.
There is also a strategic dimension to the 72-hour ultimatum. By putting a clear deadline in the public eye, CrossCurve is attempting to box the attacker into a corner: either begin negotiations and return the funds, or face a coordinated effort to identify, track, and pressure any off-ramp that touches the stolen assets. In many past cases, such public pressure has led to exchanges freezing deposits, halting withdrawals from flagged addresses, and sharing information with investigators.
Security experts are already using the CrossCurve incident to highlight best practices for users interacting with cross-chain protocols. These include diversifying bridges rather than relying on a single provider, avoiding keeping large balances on recently launched or lightly audited contracts, and monitoring announcements from protocols for any mention of emergency pauses or security incidents. For more advanced users, watching contract changes, governance proposals, and audit reports can also offer early warning signs of potential risk.
For developers and protocol teams, the takeaway is even more direct: cross-chain infrastructure requires rigorous, ongoing security audits, formal verification where possible, and conservative assumptions about potential attack vectors. As protocols scale, they must invest not only in code security, but also in incident response plans that include communication strategies, forensic capabilities, and clearly defined legal pathways.
The CrossCurve exploit is likely to remain in the spotlight as more details emerge about the vulnerability, the identified addresses, and whether the attacker responds to the project’s ultimatum. The outcome will shape not only the fate of affected users, but also the wider perception of how effectively DeFi projects can protect their communities—and how far they are willing to go when that protection fails.
For now, users are being advised to avoid interacting with any contracts or addresses connected to the exploit and to follow official updates from the CrossCurve team regarding the status of the bridge, the progress of the investigation, and any future plans for reimbursement or protocol changes.