Particle.news
Download on the App Store
3 ARTICLES
·
2d ago

Verus Bridge Hacker Returns Most Funds After Bounty Deal

The attacker handed back 4,052 ETH in exchange for a publicly offered 1,350 ETH bounty, highlighting both a fast recovery option and a persistent validation flaw in cross‑chain bridges.

Overview

  • The Verus–Ethereum bridge was drained in an attack that used a forged cross‑chain transfer, and the project recovered most of the assets after negotiating with the exploiter.
  • The attacker returned 4,052 ETH to a Verus team address and then moved 1,350 ETH to a separate wallet as the agreed bounty, with Etherscan transactions showing both transfers.
  • Security firms traced the root cause to a missing source‑amount validation in the bridge’s transfer logic rather than a signature or key compromise, a fix they say requires small code changes and pause controls.
  • The exploit first occurred on Monday, May 18, and the funds were consolidated and swapped into about 5,402 ETH before the negotiated return of the 4,052 ETH on May 21.
  • The quick bounty settlement sets a practical precedent for rapid asset recovery in DeFi but raises governance and incentive questions as bridges remain frequent targets in a broader wave of protocol hacks.