Hacker Steals Over $11M From Verus-Ethereum Bridge

mai 18, 2026

Hackers have reportedly drained $11.58 million from the Verus-Ethereum bridge.

According to alerts from various blockchain security platforms, the exploit hit one of Verus’ cross-chain bridge contracts and emptied reserves containing ETH, tBTC, and USDC.

How the Attack Worked

Two of the firms, CertiK and PeckShield, flagged suspicious activity from the bridge contract at 0x71518580…cd7f63 within hours of the exploit.

Per their posts on X, the stolen assets totaled 1,625 ETH, 103.56 tBTC, and 147,000 USDC, with the attacker quickly swapping everything into approximately 5,402 ETH and parking the funds in a separate wallet.

Another on-chain security firm, Blockaid, published a technical breakdown shortly after, and it is the clearest account of what went wrong.

According to them, the bridge correctly checked three things: a notarized Verus state root signed by eight of fifteen notaries, a Merkle proof of the cross-chain export, and a hash binding confirming the integrity of the transfer data. However, what it did not check was whether the source-chain export’s stated amounts actually matched what it was about to pay out.

The attacker reportedly built a transaction on the Verus side for roughly 0.02 VRSC, which is about $0.01 at current prices, that committed a keccak hash of a payout blob while listing empty source-side totals. The Verus protocol accepted it as legitimate, and the notaries signed the resulting state root without issue, because from their perspective, nothing was wrong.

On the Ethereum side, the attacker called submitImports() with a serialized transfer blob whose hash matched the committed value, so the bridge verified the hash, decoded the blob, and paid out 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves to the attacker.

In a nutshell, it cost the attacker about $10 in VRSC fees for a return of $11.58 million. Per the Blockaid report, there was no ECDSA bypass, no compromise of notary keys, and no parser or hash-binding bug.

The vulnerability was a missing source-amount validation in a function called “checkCCEValues,” which, according to the security firm, would take around ten lines of Solidity to fix.

Bridge Exploits Are on the Rise

Last month, according to Certik, the wider crypto sector lost more than $650 million to bad actors, with a huge chunk of that amount coming from just two incidents: an attack on KelpDAO that led to the theft of more than $292 million and another on Drift Protocol, which lost over $285 million.

Bridges are also being increasingly targeted, with the Verus exploit being the eighth incident involving such platforms this year, and according to PeckShield, their attackers have made off with at least $328 million.

Meanwhile, looking at the market, VRSC, the Verus native token, didn’t seem to have reacted to the news of the exploit. Data from CoinGecko shows that it was largely flat on the day of the hack, having barely moved in the 24-hour window heading into the attack.

At the time of writing, it was trading at around $0.75, down 6% in 30 days, while in the last year it has lost close to 73% of its value.

Postul Hacker Steals Over $11M From Verus-Ethereum Bridge a apărut prima dată pe CryptoPotato.