Verus-Ethereum Bridge Exploit Drains $11.58M in Ongoing Attack

TLDR:

• Blockaid’s exploit detection system identified an active attack draining $11.58M from the Verus-Ethereum bridge.
• Peckshield confirmed 103.6 tBTC, 1,625 ETH, and 147,000 USDC were stolen and swapped for 5,402 ETH.
• GoPlus found the attacker used a low-value transaction to trigger a batch-transfer of all bridge reserves.
• The attacker’s wallet was pre-funded with 1 ETH via Tornado Cash roughly 14 hours before the exploit began.

The Verus-Ethereum bridge is under an active exploit that has drained approximately $11.58 million in digital assets. Blockchain security firm Blockaid identified the attack through its exploit detection system on Sunday.

The stolen funds included tBTC, ETH, and USDC. The attacker subsequently converted those assets into ETH. Multiple security companies have since confirmed the breach and traced the attacker’s on-chain activity.

How the Attack Unfolded

Blockaid was among the first to publicly flag the exploit. The firm identified the attacker’s externally owned account as address “0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777.” The drained funds were moved to a separate wallet at “0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.”

Peckshield provided a detailed breakdown of what was taken from the bridge. According to the firm, the attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the protocol. Those assets were then swapped for roughly 5,402 ETH, valued at around $11.4 million at the time.

Another security firm, GoPlus, shed light on the method used in the attack. The attacker sent a low-value transaction to the bridge contract and called a specific function. That function triggered the bridge contract to batch-transfer its reserve assets directly to the drainer’s wallet.

The exploit transaction has been publicly logged on Etherscan, providing a transparent on-chain record. The bridge contract address involved is “0x71518580f36feceffe0721f06ba4703218cd7f63.” Security researchers continue to monitor the addresses involved for further movement.

Attacker’s Funding Trail Points to Tornado Cash

Peckshield also traced how the attacker initially funded their wallet before carrying out the exploit. The attacker’s address received 1 ETH through Tornado Cash approximately 14 hours before the attack began. Tornado Cash is a crypto mixer commonly used to obscure the origin of funds on-chain.

This funding method is a recognized pattern among on-chain bad actors seeking to hide their identity. By routing startup funds through a mixer, the attacker made it harder to link the exploit wallet to any prior history. Investigators typically watch for such patterns when tracing the source of stolen assets.

At the time of writing, the stolen funds remain in the drainer wallet identified by Blockaid. No confirmed recovery measures or protocol pause announcements had been publicly issued by the Verus team. The broader DeFi community has been alerted to avoid interacting with the bridge in the meantime.

The attack adds to a long list of bridge exploits that have plagued the crypto industry in recent years. Cross-chain bridges remain a high-value target due to the large reserves they hold and the complexity of their smart contract logic.