Hackers have reportedly drained $11.58 million from the Verus-Ethereum bridge.
According to alerts from various blockchain security platforms, the exploit hit one of Verus’ cross-chain bridge contracts and emptied reserves containing ETH, tBTC, and USDC.
How the Attack Worked
Two of the firms, CertiK and PeckShield, flagged suspicious activity from the bridge contract at 0x71518580…cd7f63 within hours of the exploit.
Per their posts on X, the stolen assets totaled 1,625 ETH, 103.56 tBTC, and 147,000 USDC, with the attacker quickly swapping everything into approximately 5,402 ETH and parking the funds in a separate wallet.
Another on-chain security firm, Blockaid, published a technical breakdown shortly after, and it is the clearest account of what went wrong.
According to them, the bridge correctly checked three things: a notarized Verus state root signed by eight of fifteen notaries, a Merkle proof of the cross-chain export, and a hash binding confirming the integrity of the transfer data. However, what it did not check was whether the source-chain export’s stated amounts actually matched what it was about to pay out.
The attacker reportedly built a transaction on the Verus side for roughly 0.02 VRSC, which is about $0.01 at current prices, that committed a keccak hash of a payout blob while listing empty source-side totals. The Verus protocol accepted it as legitimate, and the notaries signed the resulting state root without issue, because from their perspective, nothing was wrong.
On the Ethereum side, the attacker called submitImports() with a serialized transfer blob whose hash matched the committed value, so the bridge verified the hash, decoded the blob, and paid out 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves to the attacker.
In a nutshell, it cost the attacker about $10 in VRSC fees for a return of $11.58 million. Per the Blockaid report, there was no ECDSA bypass, no compromise of notary keys, and no parser or hash-binding bug.
The vulnerability was a missing source-amount validation in a function called “checkCCEValues,” which, according to the security firm, would take around ten lines of Solidity to fix.
Bridge Exploits Are on the Rise
Last month, according to Certik, the wider crypto sector lost more than $650 million to bad actors, with a huge chunk of that amount coming from just two incidents: an attack on KelpDAO that led to the theft of more than $292 million and another on Drift Protocol, which lost over $285 million.
Bridges are also being increasingly targeted, with the Verus exploit being the eighth incident involving such platforms this year, and according to PeckShield, their attackers have made off with at least $328 million.
Meanwhile, looking at the market, VRSC, the Verus native token, didn’t seem to have reacted to the news of the exploit. Data from CoinGecko shows that it was largely flat on the day of the hack, having barely moved in the 24-hour window heading into the attack.
At the time of writing, it was trading at around $0.75, down 6% in 30 days, while in the last year it has lost close to 73% of its value.
게시물 Hacker Steals Over $11M From Verus-Ethereum Bridge 에 처음 등장 크립토포테이토.
한국어 
English 
Română 
Eesti 
日本語 
Русский 
Deutsch 
Español 
简体中文 
Français 
繁體中文 
Português 
Italiano 
Polski 
Türkçe 
Nederlands 
Bahasa Indonesia 
Ελληνικά 
Українська 
Български 
Čeština 
Suomi 
Magyar 
Latviešu valoda 
Lietuvių kalba 
Norsk bokmål 
Slovenčina 
Slovenščina 
Svenska
답글 남기기