Particle.news
Download on the App Store
8 ARTICLES
·
6d ago

Verus–Ethereum Bridge Exploited for About $11.6 Million

Security firms say a missing source‑amount check let a fake cross‑chain message drain reserves.

Verus ethereum bridge drained of $11.5m in forged transfer exploit
On-chain data showed funds transferred through a forged bridge payload
Flagged live: attacker flips $11.5m in stolen verus assets to eth following tornado cash setup

Overview

  • Blockaid’s monitors, which flagged the breach late Sunday, reported about $11.5–$11.6 million was taken as 103.6 tBTC, 1,625 ETH, and roughly 147,000 USDC that were later swapped into about 5,402 ETH.
  • Researchers say the attacker sent a low‑value call that invoked a function to batch‑transfer bridge reserves after a forged cross‑chain payload passed checks that should have failed.
  • Blockaid and ExVul point to a missing source‑amount validation in the bridge’s checkCCEValues function, noting the issue was not a key compromise or signature bypass.
  • PeckShield traced the setup to a 1 ETH seed routed through Tornado Cash hours before the exploit, and the converted funds now sit in a drainer wallet visible on Etherscan.
  • The Verus team says the network halted as block‑generating nodes went offline during the response, and security firms urge a small code fix plus stricter validation and emergency pause controls in light of similar Nomad and Wormhole‑style bridge failures.