Significant Breach of the Verus Ethereum Bridge
A significant breach involving the Verus Ethereum bridge has resulted in the loss of approximately $11.58 million in various cryptocurrencies, including tBTC, ETH, and USDC. This alarming exploit was initially detected by Blockaid, an on-chain security service, which reported unusual activity linked to a specific wallet address starting with 0x5aBb.
Details of the Attack
Upon investigation, it was found that the compromised funds were subsequently moved to another address ending with C25F9. Further analysis from the security firm PeckShield revealed that the attacker managed to siphon off around 103.6 tBTC, 1,625 ETH, and 147,000 USDC. They executed a swift series of transactions that converted the stolen assets into roughly 5,402 ETH, presently valued at about $11.4 million.
Notably, the attacker’s wallet had been funded through Tornado Cash – a well-known cryptocurrency mixing service – just hours before the breach, as indicated by PeckShield’s findings. They noted 1 ETH was deposited into the wallet approximately 14 hours prior to the exploit.
Potential Vulnerabilities
GoPlus, another blockchain security firm, posited that the integrity of the bridge’s transaction validation mechanism may have been compromised, allowing the attacker to create a low-value transaction aimed at the bridge contract. Following this, they allegedly activated a function that facilitated the large-scale transfer of reserve assets to their own wallet.
GoPlus speculated that this incident could stem from weaknesses related to cross-chain message validation, failures in signature verification, vulnerabilities permitting withdrawal logic circumvention, or issues surrounding access control within the bridge’s framework. Such flaws have frequently caught the attention of bad actors in the decentralized finance space, especially in cross-chain bridges that oversee substantial reserves of locked liquidity.
About Verus
Launched in 2018, Verus is a privacy-centric blockchain network that utilizes a unique “proof-of-power” consensus model, integrating both proof-of-work and proof-of-stake mechanisms. The Ethereum bridge, which was introduced recently in October 2023, aimed to facilitate the transfer and conversion of assets between the Verus ecosystem and Ethereum, making the recent breach particularly concerning for its users.
