Verus-Ethereum Bridge Exploit Drains $11.6M; Tornado Cash Link

Late Sunday, onchain security platform Blockaid reported an exploit on the Verus-Ethereum bridge that drained about $11.58 million. Blockaid identified the attacker address as 0x5aBb…D5777 and the wallet holding the stolen funds as 0x65C…C25F9.

Blockchain security firm Peckshield quantified the theft as 103.6 tBTC, 1,625 ETH and 147,000 USDC. Peckshield reported the attacker consolidated the funds and swapped assets into roughly 5,402 ETH, valued at about $11.4 million, leaving total losses at about $11.58 million.

Peckshield also noted the attacker address received 1 ETH via Tornado Cash about 14 hours before the exploit, an on-chain transaction recorded prior to the series of transfers that moved through the bridge.

Security firm GoPlus analyzed the on-chain activity and found the attacker sent a low-value transaction to the bridge contract before invoking a function that caused the contract to batch-transfer reserve assets to the drainer. GoPlus described the likely technical vectors as: “It is highly likely to be cross-chain message validation/signature forgery, withdrawal logic bypass, or access control flaw.”

Verus has not issued a public comment. Requests for comment were sent to the project team; security firms continue to monitor the addresses and swaps on Ethereum.

Verus is a privacy-focused blockchain protocol launched in 2018 that uses a hybrid proof-of-power consensus combining proof-of-work and proof-of-stake. The Verus-Ethereum bridge went live in October 2023 to enable transfers and conversions of assets between the Verus network and Ethereum. The bridge holds reserve assets to support wrapped tokens and cross-chain transfers.

On-chain monitors and security firms are tracking further movement of the stolen funds and reporting updates as the investigation continues.