Verus Ethereum bridge drains $11.5M of fake transfer exploit

Security researchers have described a faked cross-chain message as an attack vector that allowed attackers to steal more than $11.5 Million in cryptocurrency assets from the Verus Protocol Ethereum Bridge.

Blockaid onchain security platform Blockaid claims that the exploit The monitoring system detected the suspicious activity late on Sunday night. Blockaid has identified the wallet of an attacker as “0x5aBb…D5777” Since then, the funds have been moved to another location that is labeled “0x65C…C25F9.”

PeckShield shares data on blockchain security showed The assets that were drained included 103.6 tBTC and 1,625 USDC. PeckShield reported later that the attacker exchanged the stolen tokens for 5,402 Ethereum, which is worth approximately $11.4 million at current prices.

PeckShield reported that the attacker received 1 ETH via Tornado Cash hours before the attack. This detail is often used in attempts to conceal the origins of transactions.

GoPlus Security: Further Analysis indicated The attacker would first send a small transaction to the Bridge Contract before triggering a feature that transferred reserve assets in batches to the Drainer wallet.

GoPlus claimed the exploit was “highly likely” The failure to validate messages across chains, the bypassing of withdrawal logic, or an insufficiency with access control within the bridge mechanism are all possible causes.

Blockaid provided a specific explanation. It said that this incident was similar to attacks like the Wormhole and 2022 Nomad Bridge exploits, in which fraudulent instructions were used to fool protocols into releasing reserved funds.

Blockaid stated that the exploit had been deemed to be successful in a technical follow-up assessment. “not an ECDSA bypass,” “not a notary key compromise,” You can also find out more about the following: “not a parser/hash-binding bug.” It was not the company that caused the problem. “a missing source-amount validation in checkCCEValues,” It is described by Solidity as an error that can be corrected using around 10 lines.

ExVul is a Blockchain Security Provider reached A similar conclusion is that the attacker used an “forged cross-chain import payload” That successfully passed the verification process of the bridge. ExVul reports that this exploit eventually led to three different transfers from bridge reserves in the wallet controlled by the attacker.

ExVul said that before funds can be released, cross-chain verification systems must directly link transfer execution and authenticated payload data. ExVul also suggested stricter validation of payloads, layers of protection against fraud, and emergency stop mechanisms for outbound transfers that are unusual.

DeFi continues to be hit by bridge exploits

In 2023 the Verus Ethereum bridge will be launched, allowing users to transfer and convert their assets from the Verus Network to Ethereum. The protocol, which was first introduced in 2018, uses a hybrid proof of work/proof-of-stake model.

The Verus team has not yet publicly addressed the exploit.

It has come at a time when the decentralized banking system is already under attack by several major breaches. Data from security tracking shows cited Crypto hackers have stolen more than $168,6 Million from 34 DeFi Protocols in just the first quarter 2026.

The Drift Protocol and Kelp attacks, both worth $292 millions each, were the two largest recorded attacks in April.

Over the weekend, THORChain’s cross-chain liquidation protocol also confirmed A separate $10 million fraud has added to the growing concerns about bridges and interoperability in the DeFi industry.