|

Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap

Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap
Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap

Web3 safety platform Blockaid reported that its exploit detection system had recognized an ongoing assault focusing on the cross-chain Ethereum bridge operated by Verus, with roughly $11.58 million in property drained to this point.

According to the evaluation, the suspected root trigger resembles vulnerabilities beforehand seen within the 2022 exploits involving Wormhole bridge exploit and Nomad bridge exploit, the place a niche existed between source-chain worth commitments and destination-chain payouts. 

Investigators said that the bridge efficiently verified a number of cryptographic parts, together with the notarized Verus state root, legitimate notary signatures, Merkle proofs for cross-chain exports, and hash bindings tied to serialized transfers. However, the system allegedly failed to verify whether or not the export on the supply chain contained ample quantities, charges, or burned property to assist the payouts executed on Ethereum.

Researchers stated the attacker created a low-value transaction of roughly 0.02 VRSC containing a Verus Cross-Chain Export that dedicated to a payout hash whereas leaving the related source-side totals successfully empty. The protocol reportedly accepted the transaction as legitimate, and notaries subsequently signed the ensuing state root. The attacker then known as the submitImports() operate on Ethereum utilizing a serialized switch payload whose hash matched the dedicated worth. After verification, the bridge launched reserve property amounting to 1,625 ETH, 103 tBTC, and roughly 147,000 USDC. The estimated execution price was reported to be round $10 in VRSC transaction charges, whereas the proceeds totaled about $11.58 million.

Blockaid emphasised that the incident was not linked to an ECDSA bypass, compromised notary keys, or a parsing or hash-binding flaw. Instead, the corporate attributed the exploit to lacking source-amount validation logic throughout the checkCCEValues course of, describing the difficulty as doubtlessly fixable with a comparatively small Solidity code replace.

Security agency GoPlus said that the attacker drained a major quantity of reserve property from the Ethereum aspect of the bridge in a single transaction. Analysts famous that the exploit adopted a well-known sample seen in a number of bridge-related incidents throughout 2026, after earlier assaults affecting tasks akin to Kelp DAO and Hyperbridge reportedly contributed to cumulative losses price a whole lot of hundreds of thousands of {dollars} throughout the sector.

According to GoPlus, the attacker’s pockets at the moment holds round 5,402 ETH. The funds have reportedly not but undergone laundering, bridging, or broad distribution, leaving open the opportunity of tracing or restoration efforts. Investigators added that the exploit was triggered after the attacker submitted a low-value transaction invoking a selected contract operate recognized as 0x8c49b257, after which the bridge contract transferred reserve property on to the attacker-controlled pockets. The findings recommend a possible flaw involving cross-chain message verification, withdrawal validation, or entry management mechanisms.

Blockchain safety agency PeckShield later reported that the attacker’s handle had initially been funded with 1 ETH by Tornado Cash roughly 14 hours earlier than the exploit came about.

As of now, Verus has not publicly commented on the incident or issued an official warning to customers concerning the exploit.

Verus Breach Adds To Rising DeFi Security Losses

Verus is a privacy-focused blockchain community launched in 2018 that operates utilizing a hybrid proof-of-power consensus mannequin combining proof-of-work and proof-of-stake mechanisms. In October 2023, the mission launched the Verus-Ethereum bridge, designed to permit customers to switch and convert property between the Verus ecosystem and the Ethereum community.

The exploit focusing on the Verus bridge comes amid a broader rise in assaults in opposition to cross-chain infrastructure. Blockchain safety agency PeckShield reported that not less than eight main bridge-related safety breaches had been recorded between February and mid-May 2026, leading to mixed losses estimated at roughly $328.6 million. The figures spotlight the continued publicity of cross-chain protocols, which stay among the many most ceaselessly focused sectors inside decentralized finance.

The Verus incident adopted a number of different notable bridge-related exploits reported in latest days. On May 15, THORChain quickly suspended buying and selling exercise after a multichain exploit impacted networks together with Bitcoin, Ethereum, BNB Chain, and Base. Initial estimates positioned the losses at barely above $10 million, whereas investigators continued monitoring addresses linked to the stolen funds.

A separate incident was disclosed by TAC on May 14, when the TON phase of its cross-chain infrastructure was reportedly compromised. The mission said that round $2.8 million in USDT, BLUM, and tsTON property had been drained. TAC added that TON-native property, TAC property, and ERC-20 tokens bridged from Ethereum weren’t affected by the breach. The protocol later paused bridge operations whereas safety groups performed forensic investigations into the assault.

The publish Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap appeared first on Metaverse Post.

Similar Posts