Hackers reportedly drained $11.58 million from the Verus-Ethereum bridge.
Alerts from several blockchain security firms indicate an exploit targeted one of Verus’ cross-chain bridge contracts, emptying reserves that held ETH, tBTC, and USDC.
How the Attack Worked
Security teams including CertiK and PeckShield detected suspicious activity from the bridge contract at 0x71518580…cd7f63 within hours of the incident.
According to their reports, the stolen assets amounted to 1,625 ETH, 103.56 tBTC, and 147,000 USDC. The attacker then quickly swapped and consolidated funds into roughly 5,402 ETH and moved them to a separate wallet.
Blockaid published a technical analysis shortly after and provided the clearest account of the vulnerability and exploit method.
The bridge correctly validated three elements: a notarized Verus state root signed by eight of fifteen notaries, a Merkle proof of the cross-chain export, and a hash binding intended to ensure the integrity of transfer data. What it failed to validate was whether the source-chain export’s stated amounts actually matched the amounts it was about to disburse.
The attacker constructed a transaction on the Verus side committing a keccak hash of a payout blob while listing empty source-side totals. The transaction included a nominal fee of roughly 0.02 VRSC (around $0.01 at current prices). The Verus protocol accepted the transaction as valid, and notaries signed the resulting state root because the submission appeared legitimate from their perspective.
On the Ethereum side, the attacker invoked submitImports() with a serialized transfer blob whose hash matched the committed value. The bridge verified that hash, decoded the blob, and released 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves to the attacker.
In short, the exploit cost the attacker about $0.01 in VRSC fees in exchange for $11.58 million in assets. Blockaid emphasized that there was no ECDSA key compromise, no bypass of notary keys, and no parser or hash-binding bug. Instead, the root cause was a missing validation of source-side amounts in a function named “checkCCEValues.” According to the security firm, fixing the issue would require roughly ten lines of Solidity code to ensure the bridge verifies source amounts before releasing funds.
Bridge Exploits Are on the Rise
Bridge vulnerabilities and large-scale hacks have grown more frequent. Last month, CertiK reported that the broader crypto sector lost over $650 million to attacks, with much of that total stemming from two major incidents: a KelpDAO breach that resulted in more than $292 million stolen and an attack on Drift Protocol that led to losses exceeding $285 million.
Cross-chain bridges are increasingly targeted by attackers. The Verus exploit is the eighth bridge-related incident reported this year. PeckShield estimates that attackers exploiting bridge platforms have taken at least $328 million so far.
Market reaction to the Verus exploit was muted. VRSC, the native Verus token, showed little immediate movement on the day of the hack. CoinGecko data indicated the token was largely flat in the 24-hour window preceding the attack.
At the time of reporting, VRSC traded around $0.75, down about 6% over 30 days and roughly 73% over the past year.