PeckShield confirmed that, as of May 22, the Verus-bridge attacker has returned 4,052.4 ETH (about $8.5 million) to the official Verus address. This represents 75% of the combined total of the stolen assets, totaling 5,402.4 ETH. The remaining 1,350 ETH (about $2.85 million, 25%) is kept in the attacker’s wallet as a bug bounty.
Attack Mechanism: How a Validation Gap Can Be Exploited to Steal Assets at Low Cost
Official Verus and on-chain analysis confirmed that this attack was not caused by a private key leak or signature forgery. Instead, it exploited a structural vulnerability in the bridge contract’s “input validation gap”: the attacker initiated a real, low-value transaction on the Verus chain (about $0.01 in VRSC), but injected a token quantity into the Payload (effective content) of the cross-chain transfer that was far higher than the actual locked amount. The bridge contract failed to verify whether the amount claimed in the Payload matched the amount actually locked on the source chain during the validation step, which caused it to be deceived and release bridge reserve funds far exceeding the amount actually transferred in. After the incident, the Verus network temporarily paused, and most block-producing nodes voluntarily went offline to prevent further losses.
Confirmed Terms and Liability Boundaries of On-Chain Bounty Negotiations
In an on-chain proposal on May 21, Verus confirmed the following terms, which have been publicly recorded as a formal agreement on the Ethereum chain:
Return Requirement: 4,052.4 ETH must be returned to the specified address before the 24-hour deadline
Bounty Acknowledgment: After the return is completed, Verus will formally recognize the retained 1,350 ETH as a legitimate bug bounty
Investigation Commitment: Verus will make its best efforts to stop the existing investigation and avoid initiating new ones
Legal Commitment: Verus will avoid filing lawsuits
Public Statement: Verus will publicly acknowledge the bountiable nature of the retained funds
Important Boundary: The above commitments do not bind law enforcement agencies, exchanges, infrastructure providers, or other third parties—this agreement only represents the position of the official Verus team
Frequently Asked Questions
What is the specific technical meaning of the input validation gap in Verus’s cross-chain bridge?
The input validation gap (Validation Gap) refers to the bridge contract, when processing a cross-chain transfer request, failing to compare and verify whether the token amount claimed in the transfer Payload matches the token amount actually locked on the source chain. This allows an attacker to initiate a legitimate transaction with an extremely low amount on the source chain (about $0.01), while declaring a much higher amount in the Payload. The target bridge contract misbelieves the numbers in the Payload and releases reserve funds far exceeding the actual value. This type of vulnerability is a design flaw at the smart contract logic layer and belongs to the same class of bridge attack pattern as Map Protocol Butter Bridge V3.1’s “retry message validation gap.”
Is a 25% bounty ratio a common arrangement in DeFi bridge-attack negotiations?
A 25% bounty share is relatively high in traditional vulnerability bounty programs, but it is not uncommon in negotiations to recover bridge-attack funds that have already been merged and are difficult to freeze. In such cases, the project team typically exchanges a bounty for the attacker’s voluntary return of funds, to avoid the funds disappearing completely through mixers or privacy tools. The earlier Renegade dark pool incident also used a similar on-chain negotiation approach, allowing the attacker to keep a portion of the assets as the price, completing the recovery of most of the funds.
Can Verus’s protocol commitments effectively protect the attacker from legal pursuit?
In its agreement, Verus clearly states that its commitments (stopping the investigation, not filing lawsuits) only bind the Verus project team itself, and cannot bind law enforcement agencies, exchanges, blockchain infrastructure providers, or other third parties. This means that if, after the attacker returns the funds, their on-chain activity is still tracked by law enforcement agencies, exchange KYC systems, or on-chain analytics firms, Verus’s commitments cannot serve as a basis for exemption. Before accepting the bounty arrangement, the attacker also completed the initial funds’ mixing with Tornado Cash 14 hours earlier, which may further increase the difficulty of later law-enforcement tracking.
