Despite the size of the exploit, Verus’ native token showed little immediate reaction following the attack.
Hackers reportedly stole approximately $11.58 million from the Verus Ethereum bridge after exploiting one of its cross chain bridge contracts.
Blockchain security firms revealed that the attacker emptied reserves containing ETH, tBTC, and USDC.
How the Exploit Happened
Security companies CertiK and PeckShield identified suspicious activity linked to the bridge contract shortly after the exploit occurred.
According to their findings shared on X, the stolen assets included 1,625 ETH, 103.56 tBTC, and 147,000 USDC. The attacker quickly converted the funds into roughly 5,402 ETH before moving them into another wallet.
Blockchain security firm Blockaid later published a technical analysis explaining how the attack unfolded.
The report stated that the bridge successfully verified three critical elements, including a notarized Verus state root signed by eight out of fifteen notaries, a Merkle proof for the cross chain export, and a hash binding used to confirm transfer integrity.
However, the protocol failed to verify whether the amounts declared in the source chain export actually matched the payout being processed.
According to Blockaid, the attacker created a transaction on the Verus side worth only around 0.02 VRSC, valued at roughly $0.01, while embedding a keccak hash tied to a payout data structure that listed empty source side totals.
The Verus protocol accepted the transaction as valid, and the notaries approved the resulting state root because no obvious irregularities appeared during verification.
On the Ethereum side, the attacker reportedly called the “submitimports” function using a serialized transfer blob whose hash matched the committed value. Since the hash verification succeeded, the bridge decoded the data and released 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves directly to the attacker.
In essence, the exploit reportedly cost the attacker around $10 in VRSC transaction fees while generating a return of $11.58 million.
Blockaid emphasized that the incident did not involve an ECDSA bypass, compromised notary keys, or flaws related to parsing or hash binding.
Instead, the vulnerability stemmed from missing source amount validation within a function known as “checkCCEValues,” which the firm said could likely be fixed with roughly ten lines of Solidity code.
Bridge Exploits Continue to Rise
Last month, the broader crypto industry lost more than $650 million to hackers, according to CertiK.
A large portion of those losses came from two separate incidents involving KelpDAO, which reportedly lost more than $292 million, and Drift Protocol, which suffered losses exceeding $285 million.
Cross chain bridges have increasingly become targets for attackers, with the Verus incident marking the eighth bridge related exploit this year. PeckShield estimated that attackers have stolen at least $328 million from bridge platforms so far in 2026.
Meanwhile, Verus’ native token, VRSC, showed little response to the exploit news.
Data from CoinGecko showed the token remained mostly flat during the 24 hour period surrounding the attack.
At the time of writing, VRSC was trading near $0.75, down 6% over the past 30 days and nearly 73% lower compared to its value one year ago.#crypto#cryptonews https://coinsignals.net https://t.me/coinsignalpublic
