CrossCurve, FutureSwapX, and JFIN Lose Over $1.9M to Preventable Exploits

In Brief

Olympix

~3 min read · February 11, 2026 (Updated: February 11, 2026) · Free: Yes

CrossCurve lost $1.4M due to missing access control checks.
JFIN lost $15K because of a double counting error for reward calculation.
FutureSwapX lost $500K after flash-loaned tokens were counted as voting power.

Hacks Analysis

CrossCurve | Amount Lost: $1.4M

On February 1st, the CrossCurve exploit across multiple chains resulted in a $1.4M loss. The root cause was a missing access control check in the expressExecute() function of the cross-chain receiver contract. This function executed messages without verifying that they were authorized by the Axelar Gateway. The only validation was that a commandId had not been used before. This allowed anyone to generate a fresh commandId and call expressExecute() directly. The attacker supplied arbitrary source chain data and a crafted ABI-encoded payload. The contract trusted this input and executed internal logic. This allowed the attacker to transfer tokens to their own wallet.

Exploited Contract: 0xb2185950f5a0a46687ac331916508aada202e063

Transaction: 0x37d9b911ef710be851a2e08e1cfc61c2544db0f208faeade29ee98cc7506ccc2

JFIN | Amount Lost: $15K

On December 20th, the JFIN exploit on the Ethereum mainnet resulted in a $15K loss. The root cause of the exploit was a reward calculation error (double counting) in the JFIN LCBridgev2Token contract's stake() function. Before updating a user's stake, the contract added getReward(account) to debtReward. However, getReward() already included the existing debtReward. This caused the old debt to be counted twice. By repeatedly calling stake() with 1 WEI, an attacker inflated debtReward. The attacker then called claimReward() to withdraw the inflated balance.

Exploited Contract: 0x3EbFd0EFC49a27fb633bd56013E4220EBC2c3C6d

Transaction: 0xf867d1d7164ac9178d81696c989f65e817b8cab14850345ab3a1f99bbe547210

FutureSwapX | Amount Lost: $500K

On December 14th, the FutureSwapX exploit on the Ethereum mainnet resulted in a $500K loss. The root cause of the exploit was a voting logic vulnerability that allowed flashloaned tokens to be counted as voting power. The attacker first flash loaned 3.6M FST tokens and created a proposal in the same transaction. FutureSwap's Governance contract recorded the attacker's inflated balance. The attacker then voted using the recorded snapshot balance. After voting, the flash loan was repaid. The proposal passed with artificial voting power, allowing the attacker to drain funds.

Exploited Contract: 0x0a7f8161605acc552fa38fdb8ee7d8177c9ac22a

Transaction: 0x23c6a1e3fa409fcf17b4a6c385924a17546772ce77b314d001cbf0dab9469ba3

Olympix: Your Partner in Secure Smart Contracts

Olympix provides advanced Solidity analysis tools to help developers identify and fix vulnerabilities before they become critical exploits.

Get started today to fortify your smart contracts and proactively shield them from exploits in the evolving Web3 security landscape.

Connect with us on:

#web3 #defi #smart-contracts #exploit