Hacker Steals Over $11M From Verus-Ethereum Bridge
Hackers have reportedly drained $11.58 million from the Verus-Ethereum bridge.
According to alerts from varied blockchain safety platforms, the exploit hit considered one of Verus’ cross-chain bridge contracts and emptied reserves containing ETH, tBTC, and USDC.
How the Attack Worked
Two of the corporations, CertiK and PeckShield, flagged suspicious exercise from the bridge contract at 0x71518580…cd7f63 inside hours of the exploit.
Per their posts on X, the stolen property totaled 1,625 ETH, 103.56 tBTC, and 147,000 USDC, with the attacker rapidly swapping all the pieces into roughly 5,402 ETH and parking the funds in a separate pockets.
Another on-chain safety agency, Blockaid, published a technical breakdown shortly after, and it’s the clearest account of what went flawed.
According to them, the bridge accurately checked three issues: a notarized Verus state root signed by eight of fifteen notaries, a Merkle proof of the cross-chain export, and a hash binding confirming the integrity of the switch information. However, what it didn’t examine was whether or not the source-chain export’s said quantities really matched what it was about to pay out.
The attacker reportedly constructed a transaction on the Verus facet for roughly 0.02 VRSC, which is about $0.01 at present costs, that dedicated a keccak hash of a payout blob whereas itemizing empty source-side totals. The Verus protocol accepted it as official, and the notaries signed the ensuing state root with out situation, as a result of from their perspective, nothing was flawed.
On the Ethereum facet, the attacker known as submitImports() with a serialized switch blob whose hash matched the dedicated worth, so the bridge verified the hash, decoded the blob, and paid out 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves to the attacker.
In a nutshell, it price the attacker about $10 in VRSC charges for a return of $11.58 million. Per the Blockaid report, there was no ECDSA bypass, no compromise of notary keys, and no parser or hash-binding bug.
The vulnerability was a lacking source-amount validation in a perform known as “checkCCEValues,” which, in response to the safety agency, would take round ten traces of Solidity to repair.
Bridge Exploits Are on the Rise
Last month, in response to Certik, the broader crypto sector lost greater than $650 million to dangerous actors, with an enormous chunk of that quantity coming from simply two incidents: an attack on KelpDAO that led to the theft of greater than $292 million and one other on Drift Protocol, which lost over $285 million.
Bridges are additionally being more and more focused, with the Verus exploit being the eighth incident involving such platforms this yr, and in response to PeckShield, their attackers have made off with at the least $328 million.
Meanwhile, wanting on the market, VRSC, the Verus native token, didn’t appear to have reacted to the information of the exploit. Data from CoinGecko reveals that it was largely flat on the day of the hack, having barely moved within the 24-hour window heading into the assault.
At the time of writing, it was buying and selling at round $0.75, down 6% in 30 days, whereas within the final yr it has misplaced near 73% of its worth.
The submit Hacker Steals Over $11M From Verus-Ethereum Bridge appeared first on CryptoPotato.
