Hackers have drained approximately $11.58 million from the Verus-Ethereum cross-chain bridge. Security firms report the exploit was due to a missing validation check in the bridge contract, allowing the attacker to withdraw vast reserves with a negligible cost. Despite the scale of the breach, the Verus native token showed little immediate reaction following news of the exploit.
Hackers have reportedly drained $11.58 million from the Verus-Ethereum bridge. The exploit hit one of Verus’ cross-chain bridge contracts and emptied reserves containing ETH, tBTC, and USDC.
According to alerts from blockchain security platforms, the stolen assets totaled 1,625 ETH, 103.56 tBTC, and 147,000 USDC. The attacker quickly swapped everything into approximately 5,402 ETH and parked the funds in a separate wallet.
A technical breakdown published by Blockaid details the attack’s mechanism. The bridge correctly verified several security checks but did not validate whether the source-chain export’s stated amounts matched the payout.
The attacker built a transaction on the Verus side for roughly $0.01 that committed a hash of a payout blob while listing empty source-side totals. The Verus protocol accepted it as legitimate, and the notaries signed the resulting state root.
On the Ethereum side, the attacker called a function with a transfer blob whose hash matched the committed value. The bridge then paid out $11.58 million from its reserves to the attacker.
“The vulnerability was a missing source-amount validation in a function called ‘checkCCEValues,’ which, according to the security firm, would take around ten lines of Solidity to fix.” There was no compromise of notary keys or a hash-binding bug.
Bridge exploits are on the rise, with the Verus incident being the eighth this year. According to PeckShield, attackers have made off with at least $328 million from such platforms.
Last month, the wider crypto sector lost more than $650 million to bad actors. A huge chunk of that amount came from just two incidents involving KelpDAO and Drift Protocol.
The native token VRSC didn’t seem to have reacted to the news of the exploit. It was largely flat on the day of the hack, having barely moved in the 24-hour window heading into the attack.
