CrossCurve (formerly EYWA), a cross-chain liquidity protocol, confirmed that its cross-chain bridge was attacked due to a smart contract vulnerability. The attack stemmed from a lack of gateway verification, allowing attackers to forge cross-chain messages and bypass verification, triggering the unlocking of unauthorized tokens in the PortalV2 contract. This resulted in approximately $3 million being transferred out across multiple chains. Security analysis revealed the vulnerability was located in the ReceiverAxelar contract, where its expressExecute function could be directly called and injected with forged messages to complete the attack. (The Block)