A major cyberattack has struck the Verus protocol’s Ethereum bridge, resulting in the theft of $11.58 million worth of digital assets. Blockchain security firms confirmed that hackers managed to seize large amounts of crypto by exploiting weaknesses in the decentralized finance (DeFi) protocol. The incident first came to light late Sunday night, when on-chain analytics platform Blockaid flagged suspicious activities, prompting investigators to trace the origins and details of the stolen assets.
Attack details and methods used
Blockchain security company PeckShield revealed that the breach led to the loss of approximately 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the Verus-Ethereum bridge. Together, these assets amounted to around 5,402 ETH in total value transferred to the attacker. The PeckShield team noted that almost 14 hours before the event, 1 ETH was sent to the attacker’s wallet via Tornado Cash, a decentralized protocol facilitating anonymous transactions, and these funds were later used in the exploit.
The attacker’s preparations became apparent when investigators identified the Tornado Cash transaction shortly before the hack. This move seemed designed to conceal the perpetrator’s identity through advanced privacy techniques. Several blockchain security experts have since weighed in with their analysis of the breach.
Technical vulnerabilities and DeFi ecosystem risks
Cybersecurity firm GoPlus stated that the attacker exploited a sophisticated flaw within the bridge’s transaction validation system. According to GoPlus, the perpetrator started by sending a small transfer to the bridge contract, then triggered a function enabling a bulk transfer of reserve assets into a single wallet. This exploit took advantage of weaknesses in the contract’s logic.
GoPlus further suggested that a misconfiguration in cross-chain message validation, signature forgery gaps, and a lack of stringent withdrawal and access controls contributed to the success of the attack. Such vulnerabilities are often targeted in cross-chain bridges, especially those holding substantial volumes of crypto assets, highlighting ongoing security concerns in the DeFi sector.
Security concerns reignite in the industry
Verus protocol operates as a decentralized bridge, enabling asset transfers across various blockchain platforms. The recent breach has reignited widespread debate about the safety of cross-chain bridges, with numerous security researchers raising fresh concerns regarding the vulnerabilities inherent in these systems.
The rapid conversion of stolen tokens into ETH underlines how swiftly funds can be moved in these attacks, complicating efforts to recover assets or track down perpetrators. While the affected platform has not yet published an official statement about the incident, findings by blockchain analytics firms have made the scale and sophistication of the theft clear.
According to information provided by PeckShield, the attacker managed to redirect approximately $11.4 million worth of tokens—including 103.6 tBTC, 1,625 ETH, and 147,000 USDC—into their own accounts within a very short period. Additionally, the attacker’s wallet received funds via Tornado Cash just prior to the breach.
Due to a surge in security threats across cross-chain bridges, industry specialists are emphasizing the urgent need for improved protective measures capable of countering increasingly complex attacks.
