Security firm Blockaid has warned that attackers are actively draining funds from the Verus–Ethereum cross-chain bridge. Its exploit-detection system flagged a live attack that has already pulled in about $11.58 million from the bridge, according to early reports.
Blockaid issued a community alert after detecting suspicious flows from Verus-linked contracts into attacker-controlled wallets. It described the situation as an ongoing security incident and urged users to treat the bridge as unsafe until investigators have mapped the full attack path and closed the vulnerability.
How the Verus–Ethereum Exploit Actually Happened
The root cause of the Verus–Ethereum exploit has been identified. Blockaid places this incident in the same exploit class as Wormhole (2022) and Nomad (2022): a gap between what the source chain commits to and what the destination chain pays out.
The bridge correctly verified notary signatures, Merkle proofs, and hash bindings. What it did not verify was that the source-chain export’s totals actually backed the payout being claimed on Ethereum.
The attacker exploited that gap cheaply. A near-worthless Verus transaction, roughly $10 in VRSC fees, committed to a payout blob with empty source-side totals. Verus accepted it, while notaries signed the resulting state root. The attacker then called submitImports() on Ethereum, the bridge decoded the matching blob, and released 1,625 ETH, 103 tBTC, and 147,000 USDC from its reserves.
This was not a key compromise, an ECDSA bypass, or a parser bug. The fix is a missing source-amount validation in checkCCEValues, approximately 10 lines of Solidity.
Investigators are currently tracking the attacker wallets and tracing how the stolen assets moved across the Ethereum network. Blockaid’s alert puts confirmed losses at approximately $11.6 million, though that figure may rise as more drained addresses are identified. The Verus team has said it will publish a detailed post-mortem covering which contracts were hit, how funds were moved, and what security changes must be in place before the bridge is brought back online.
READ MORE: Zcash Price Prediction: Can ZEC Hit $700 Before the Leverage Unwinds?
