# RugTrace Investigation Report

![Case-level investigation graph](/case-reports/crosscurve-bridge-breach-2026-02/graph.svg)

## 1. Executive Summary
This report analyzes a case-level fund flow graph associated with the reported CrossCurve bridge breach. The incident is characterized by a reported cross-chain message spoofing or bridge exploit, resulting in a loss of approximately 3,000,000 USD/SOL. The analysis indicates a rapid movement of funds from the victim entity to a merged suspect node, which then shows interactions with cross-chain bridge infrastructure (Axelar, Axelarscan) and the Curve protocol. The flow pattern matches several historical case templates involving rapid fund movement and potential cashout via aggregators or bridges.

## 2. Input Transaction
- **Signature:** `case:crosscurve-bridge-breach-2026-02`
- **Block Time:** 2026-05-01T10:19:47.732Z
- **Signers:** `CrossCurve bridge breach`
- **Native Transfers:**
    1. From `CrossCurve bridge breach` to `Merged attack source` for 3,000,000 USD/SOL.
    2. From `Merged attack source` to `Axelar` for 0 SOL.
    3. From `Merged attack source` to `Axelarscan` for 0 SOL.
- **Token Transfers:** None.
- **Program Interactions:** Interaction with the `Curve` program.

## 3. Victim-Side Fund Flow
The entity identified as the victim, `CrossCurve bridge breach`, is the source of the initial outflow. A single, large transfer of 3,000,000 USD/SOL was made from this wallet to the `Merged attack source` node. This movement is reported as the result of a cross-chain message spoofing or bridge exploit.

## 4. Suspect-Side Fund Flow
The `Merged attack source` node received the 3,000,000 USD/SOL from the victim. Subsequently, this node shows two outgoing transfers of 0 SOL to the `Axelar` and `Axelarscan` programs. These are interpreted as contextual interactions related to cross-chain bridge networks and explorers, rather than value transfers. The node also interacted with the `Curve` DEX program.

## 5. Wallets Involved
| Node ID | Label | Type | Role | Risk Score |
| :--- | :--- | :--- | :--- | :--- |
| `victim-crosscurve-bridge-breach-2026-02` | CrossCurve bridge breach | Wallet | Victim | 0.35 |
| `case-crosscurve-bridge-breach-2026-02` | Merged attack source | Wallet | Suspect | 0.78 |
| `entity-crosscurve-bridge-breach-2026-02-0-axelar` | Axelar | Program | Cashout Candidate | 0.52 |
| `entity-crosscurve-bridge-breach-2026-02-1-axelarscan` | Axelarscan | Program | Cashout Candidate | 0.52 |
| `entity-crosscurve-bridge-breach-2026-02-2-curve` | Curve | Program | Program | 0.52 |

## 6. Evidence Table
| Signature | From | To | Amount | Token | Interpretation |
| :--- | :--- | :--- | :--- | :--- | :--- |
| `case:crosscurve-bridge-breach-2026-02` | `victim-crosscurve-bridge-breach-2026-02` | `case-crosscurve-bridge-breach-2026-02` | 3000000 | USD/SOL | reported cross-chain message spoofing / bridge exploit |
| `case:crosscurve-bridge-breach-2026-02` | `case-crosscurve-bridge-breach-2026-02` | `entity-crosscurve-bridge-breach-2026-02-0-axelar` | 0 | SOL | Bridge network context named in public reports. |
| `case:crosscurve-bridge-breach-2026-02` | `case-crosscurve-bridge-breach-2026-02` | `entity-crosscurve-bridge-breach-2026-02-1-axelarscan` | 0 | SOL | Explorer entry point for cross-chain message review. |

## 7. Pattern Matches
The fund flow graph matched several patterns from persistent memory and case libraries:
1.  **Split-and-Scatter Exit (Similarity: 0.60):** A pattern from a previous case involving rapid movement and large single-hop transfers.
2.  **Protocol Exposure Cascade (Similarity: 0.84):** A pattern from the "Carrot Drift exposure" case, involving rapid movement and large single-hop transfers.
3.  **Fast Fund -> Launch -> Drain (Similarity: 0.67):** A general pattern where a wallet receives funding before suspicious activity and then rapidly drains funds.
4.  **Fast Fund -> Launch -> Drain (Similarity: 0.75):** A pattern from the "$HAWK media-reported launch collapse" case, involving rapid movement and large single-hop transfers.
5.  **Fast Fund -> Launch -> Drain (Similarity: 0.75):** A pattern from the "$JENNER celebrity token reported middleman dispute" case, involving rapid movement and large single-hop transfers.

**Common Evidence Cited:** Rapid movement within a 0.0-minute window, presence of a known Solana program interaction, and a large single-hop movement of 3,000,000 SOL/token units.

## 8. Confidence and Limitations
- **Confidence:** The graph is built from a case-level summary and source-reported entities. The inference of victim and suspect roles is based on the case context provided.
- **Limitations:**
    - The source transaction node (`tx-source-crosscurve-bridge-breach-2026-02`) has **low confidence** and notes that "No reviewed Solana transaction signature is attached yet." The primary signature (`case:crosscurve-bridge-breach-2026-02`) is a case identifier, not a verified on-chain transaction hash.
    - The graph metadata warns that "Candidate transactions need manual role review before being treated as verified exploit transactions."
    - The `Merged attack source` is a case-level aggregation node, not a single, verified wallet address.
    - The 0 SOL transfers to Axelar/Axelarscan are contextual and do not represent value movement.

## 9. Suggested Next Steps
1.  **Obtain Verified Transaction Signatures:** Locate and analyze the actual Solana transaction(s) that executed the reported 3,000,000 USD/SOL transfer from the victim to the suspect entity.
2.  **Trace Cross-Chain Movement:** Investigate the Axelar network and Axelarscan for messages or transactions originating from the suspect entity around the incident time to trace potential cross-chain fund movement.
3.  **Analyze Curve Interaction:** Examine the specific interaction with the Curve program by the suspect entity to determine if it involved token swaps or liquidity actions that could be part of a cashout strategy.
4.  **Expand Wallet Cluster:** If a verified suspect wallet address is identified, expand the investigation to map its full transaction history and counterparty network.
5.  **Corroborate with Public Reports:** Cross-reference the findings with the public report linked

## 6. Evidence Table
| Signature | From | To | Amount | Token | Timestamp | Interpretation |
|---|---|---|---:|---|---|---|
| `case:cro...026-02` | `victim-c...026-02` | `case-cro...026-02` | 3000000.000000 | USD/SOL | unknown | reported cross-chain message spoofing / bridge exploit |
| `case:cro...026-02` | `case-cro...026-02` | `entity-c...axelar` | 0.000000 | SOL | unknown | Bridge network context named in public reports. |
| `case:cro...026-02` | `case-cro...026-02` | `entity-c...arscan` | 0.000000 | SOL | unknown | Explorer entry point for cross-chain message review. |