BTC $68 971,40 +4.95%
ETH $2 058,14 +7.84%
USDT $0,9994 +0.02%
XRP $1,41 +4.49%
BNB $615,49 +1.75%
USDC $1,00 0%
SOL $84,11 +8%
TRX $0,2794 +1.11%
DOGE $0,0963 +5.18%
BCH $544,88 +9.44%
ADA $0,2729 +5.37%
HYPE $31,81 +6.84%
LEO $8,43 0.58%
XMR $351,47 +6.87%
USDe $0,9989 +0.01%
LINK $8,85 +7.74%
CC $0,1634 +0.44%
XLM $0,1657 +5.77%
DAI $0,9998 +0%
USD1 $0,9992 0.03%
Home News

Halborn: CrossCurve bridge hack exploited weak access controls, $3M lost

admin admin
Feb 10, 2026, 9:07 AM | Industry
Halborn: CrossCurve bridge hack

Security firm Halborn has published a breakdown of the CrossCurve exploit, saying the cross-chain bridge was hit for an estimated $3 million in February 2026 after attackers abused weak access controls in message-handling functions to trigger unauthorized token releases across multiple chains.

In Halborn’s telling, this wasn’t a “mysterious bridge failure.” It was a classic validation problem: the bridge’s receiver contract was tricked into believing a malicious message came from Axelar, and then it told the internal bridge to unlock funds as if a legitimate cross-chain transfer had occurred.

 

How the exploit worked

CrossCurve links multiple blockchains using Axelar-based receiver contracts plus internal PortalV2 bridge contracts. The receivers are meant to validate messages and only then authorize PortalV2 to release assets.

Halborn says the root cause was weak access controls in “expressExecute-like” functions that should only accept messages coming from Axelar. Instead, an attacker could craft messages to the ReceiverAxelar contract that passed validation checks and instructed it to release specific token amounts to attacker-controlled addresses.

Once the receiver accepted the fake message as legitimate, it directed the PortalV2 contract to unlock assets. Halborn says the attacker repeated the play across multiple supported chains, then swapped and bridged the stolen tokens into more liquid assets and attempted to launder funds. After detection, CrossCurve shut down the platform while investigating and remediating the issue.

Why it matters for crypto

  • Bridge exploits are still “validation exploits” at heart. When a bridge’s job is to decide whether a message is legitimate, any weakness in that decision logic becomes a direct path to funds.
  • Cross-chain code is high-risk by design. Halborn’s takeaway is that bridging contracts sit at the “unlock funds” choke point, so access control and message validation are not optional hardening—they’re the product.
  • Multi-chain support multiplies blast radius. Halborn says the attacker leveraged the same weakness across multiple chains, turning one bug into a broader drain.

What to watch next

  • CrossCurve’s remediation details and restart plan. Halborn notes the team shut the platform down to investigate and remediate; the next signal is what changes before any relaunch.
  • Any on-chain tracing and recovery efforts. Halborn says the attacker swapped, bridged, and laundered funds—watch for follow-on disclosures tied to tracing or attempted recoveries.
  • Whether other Axelar-integrated bridges audit similar “expressExecute-like” pathways. The exploit hinged on message acceptance and access controls; similar patterns elsewhere may trigger proactive reviews.

Source: Halborn — “Explained: The CrossCurve Hack (February 2026)”