Verus-Ethereum Bridge Exploit Drains $11.6 Million in Ongoing Attack

A serious Verus-Ethereum bridge exploit is unfolding right now, and the damage is already substantial. According to multiple blockchain security firms, an ongoing attack targeting the DeFi protocol Verus has drained roughly $11.58 million so far — and the situation is still developing.

For users and observers of the crypto space, the incident is another sobering reminder that cross-chain bridges remain one of the most vulnerable points in decentralized finance.

What Has Been Reported So Far

The alarm was first raised late Sunday by Blockaid, an onchain security platform, in a post on X.

Blockaid identified the attacker’s address as “0x5aBb…D5777” and said the stolen funds had been moved into a separate wallet, “0x65C…C25F9.” The firm described the attack as ongoing, meaning the full scale of the loss may not yet be clear.

A Breakdown of the Stolen Assets

Blockchain security firm Peckshield provided a more detailed look at exactly what was taken from the Verus-Ethereum bridge.

According to Peckshield, the bridge was drained of:

• 103.6 tBTC
• 1,625 ETH
• 147,000 USDC

The attacker didn’t sit on those assets, either. Peckshield reported that the stolen funds were subsequently swapped for 5,402 ETH, worth approximately $11.4 million at the time.

In a detail that points to a premeditated attack, Peckshield also noted that the attacker’s wallet had been initially funded with 1 ETH through Tornado Cash roughly 14 hours before the exploit — a common tactic used to obscure the origin of funds.

How the Attack May Have Worked

A third security firm, GoPlus, offered insight into the likely mechanics behind the breach.

GoPlus flagged that the attacker appeared to send a low-value transaction to the bridge contract, then called a specific function that caused the contract to batch-transfer its reserve assets straight to the drainer’s wallet.

As for the underlying weakness, GoPlus suggested several possibilities. The exploit, it said, was highly likely to involve one of the following:

• Cross-chain message validation or signature forgery
• A bypass of the withdrawal logic
• An access control flaw

In other words, the attacker may have found a way to trick the bridge into authorizing transfers it should never have approved.

What Is Verus?

For context, Verus is a privacy-oriented blockchain protocol that launched back in 2018.

The project runs on a hybrid “proof-of-power” consensus model, which combines proof-of-work and proof-of-stake. In October 2023, Verus launched the Verus-Ethereum bridge, giving users the ability to transfer and convert assets between the Verus network and Ethereum.

It is precisely that bridge — the connective tissue between two blockchains — that has now become the target of this exploit.

Silence From the Verus Team

As of publication, the Verus team had not publicly commented on the incident. Reporters had reached out to the team for a statement, but no official response had been issued.

That silence is notable. In fast-moving exploits like this one, timely communication from a protocol can be critical for helping users understand the risk and take protective action.

The Bottom Line

The Verus-Ethereum bridge exploit is still in motion, and with around $11.6 million already drained, it stands as a significant blow to the protocol and its users. Security firms Blockaid, Peckshield and GoPlus have each pieced together parts of the picture, pointing toward a likely flaw in how the bridge validated transactions or controlled access.

This remains a developing story, and the final figures could shift as more information emerges. For now, it serves as yet another warning about the persistent risks tied to cross-chain bridges — and the importance of robust security in an industry where a single contract flaw can cost millions in minutes.

This article is for informational purposes only and does not constitute financial or security advice. Details of this developing incident may change as security firms and the Verus team release further information.