Blockchain security remains one of the most challenging issues in the crypto market. Bridges, which facilitate asset transfers between different networks, have become a frequent target for attackers in recent years. The latest example is a security breach on the Verus Protocol's Ethereum bridge. On Monday, a large-scale attack was detected on the cross-chain bridge known as the Verus-Ethereum bridge. This bridge allows users to transfer value between the Verus network and Ethereum, including ETH and ERC-20 assets. However, the attacker managed to trick the system with a fake cross-chain transfer message, withdrawing millions of dollars worth of assets from the bridge reserves.
On-chain security platform Blockaid announced via X that they had detected an ongoing attack on the Verus-Ethereum bridge. According to the shared transaction data, the attacker transferred 1,625 ETH, 147,659 USDC, and 103.57 tBTC v2, the tokenized Bitcoin asset of the Threshold Network. The total value of these assets is estimated to be over $11.5 million.
Blockchain security company PeckShield also assessed the transaction as an attack exploiting a security vulnerability. According to on-chain data, the attacker later converted the stolen assets into ETH. The wallet in question held 5,402 ETH, worth over $11 million.
Fake transfer message tricked the system
Initial findings indicate that the attack did not stem from a private key hijacking or a classic signature verification vulnerability. According to Blockaid, the attacker tricked the bridge into believing that fake transfer instructions were valid. Thus, the protocol sent assets from its reserves to the attacker's wallet.
Blockaid noted similarities to the Nomad Bridge and Wormhole attacks of 2022. The Nomad attack resulted in the loss of approximately $190 million, while the Wormhole attack resulted in the loss of $325 million. Therefore, although the Verus attack appears smaller in terms of amount, the method used has brought fundamental security issues in crypto bridges back to the forefront.
According to Blockaid's technical assessment, the problem is; The ECDSA signature breach wasn't a notary key compromise or a hash-binding error. The platform stated that the vulnerability stemmed from a missing source quantity validation in "checkCCEValues." According to the company, this deficiency was a security flaw that could be patched with approximately 10 lines of code on the Solidity side.
Blockchain security provider ExVul made a similar assessment. The company reported that the attacker used a "fake cross-chain import payload" and that this data managed to pass through the bridge's validation stream. As a result, the attacker processed three different transfers linked to their own wallet.
Bridges were once again the weakest link
The Verus-Ethereum attack once again demonstrated how critical a risk area bridge infrastructures are in the crypto market. Cross-chain bridges provide liquidity and ease of use between different blockchain networks. However, they also broaden the attack surface because they operate between multiple networks, validation layers, and messaging systems. According to the crypto exchange Phemex, the biggest losses recently have stemmed from attacks targeting cross-chain connectivity and messaging infrastructure rather than directly targeting smart contracts. The Drift and Kelp DAO attacks are cited as significant examples of this trend. In April, the targeting of Kelp DAO's cross-chain messaging infrastructure, which runs on LayerZero, resulted in a loss of approximately $293 million. This suggests that bridge attacks could cause significant losses in 2026, as they have in previous years. In the first quarter, more than $168.6 million in assets were stolen from decentralized finance protocols. In April, the two largest attacks of the year were recorded; Drift Protocol lost approximately $280 million, and Kelp lost $292 million. Verus had not officially confirmed the attack at the time of writing. However, statements from security companies such as Blockaid, PeckShield, and ExVul, based on on-chain data, are causing concern.
