An attacker forged cross-chain import payloads on the Verus-Ethereum bridge, minting unbacked assets and draining $11.6M.
The Verus-Ethereum bridge, which enables interoperability between the Verus blockchain and Ethereum, was exploited through forged cross-chain import payloads. The attacker manipulated the bridge's validation logic to mint unbacked assets on Ethereum, effectively draining approximately $11.6 million in value. The exploit targeted the bridge's import mechanism, which failed to properly verify the authenticity of incoming cross-chain messages.
Minted unbacked assets on Ethereum were swapped for ETH and stablecoins via Uniswap and other DEXs. A portion was bridged to Bitcoin through renBTC-like wrappers. No major CEX off-ramping has been confirmed. The Verus team issued a bridge pause and is working on a patch. No funds have been recovered.