Verify a decision

{"actor":"system:backfill","investigation_id":"d7ec6a55-89bf-4483-b6a5-f441e744c374","kind":"publish","page_slug":"verus-protocol","published_at":"2026-06-03T17:09:17.447Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Verus Protocol","sections":[{"content":"Verus Protocol is a decentralized, open-source blockchain protocol that launched on May 21, 2018, without an ICO, premine, or developer fees. It is governed by its global community rather than a centralized company. The protocol uses a hybrid consensus mechanism called Proof of Power, which combines 50% proof-of-work and 50% proof-of-stake, and incorporates zk-SNARK-based privacy technology. Its native token, Verus Coin (VRSC), has a maximum supply of 83,540,184 VRSC. A major protocol milestone occurred in May 2023 when full Public Blockchains as a Service (PBaaS) functionality was deployed, enabling any user to launch interconnected blockchains that inherit security and features from the Verus mainchain. The protocol also supports native decentralized identities through the VerusID system. Verus positions itself as a Layer 0/1 protocol, deliberately avoiding smart contracts in favor of transaction-level protocol primitives validated by every node.","heading":"Project Overview","severity":"low","sources":[{"credibility":1,"name":"Verus Official Website","type":"official","url":"https://verus.io/"},{"credibility":1,"name":"Introduction to Verus - Verus PBaaS Documentation","type":"official","url":"https://docs.verus.io/overview/"},{"credibility":2,"name":"Verus - Decentralized Finance | IQ.wiki","type":"research","url":"https://iq.wiki/wiki/verus"}]},{"content":"On May 18, 2026, at approximately 00:54 GMT, security firm Blockaid detected suspicious activity involving the Verus-Ethereum Bridge contract. An attacker exploited a fundamental validation gap in the bridge's cross-chain message logic to drain approximately $11.58 million in digital assets. The stolen assets comprised 103.6 tBTC (Threshold Network's tokenized bitcoin), 1,625 ETH, and 147,000 USDC. The attacker subsequently swapped all stolen assets for 5,402.4 ETH, consolidating them in Ethereum address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.\n\nThe root cause was the absence of input-versus-output amount validation in the bridge's checkCCEValues function. The attacker constructed a transfer blob containing only approximately $0.01 worth of VRSC as the Verus-side input. Verus notaries validated the blob's structural integrity, authenticity, and Merkle proof — all of which were technically genuine — but neither the Verus side nor the Ethereum side's submitImports() function verified that the payout on Ethereum corresponded to the value deposited on Verus. As a result, the Ethereum-side smart contract released assets worth $11.58 million against a $0.01 deposit. Security researchers described the exploit cost to the attacker as approximately $10 in transaction fees. Blockaid classified the vulnerability as a gap between source-chain proof verification and destination-chain value binding, the same class of flaw that enabled the 2022 Wormhole ($320 million) and Nomad ($190 million) bridge hacks.\n\nApproximately 12 hours after the exploit began, most Verus block-generating nodes voluntarily took themselves offline in response, halting the Layer 1 chain.","heading":"May 2026 Bridge Exploit","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Verus-Ethereum Bridge Hack (May 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-verus-ethereum-bridge-hack-may-2026"},{"credibility":1,"name":"Verus-Ethereum bridge loses $11 million as hackers keep targeting cross-chain infrastructure - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"credibility":2,"name":"Verus suffers $11.5M hack as bridge-related exploits hit $329M in 2026 - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"},{"credibility":2,"name":"Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M - Protos","type":"news_article","url":"https://protos.com/bridge-hacks-back-in-vogue-as-verus-exploit-brings-2026-total-to-329m/"},{"credibility":2,"name":"Verus-Ethereum bridge hack drains $11.58M - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/verus-ethereum-bridge-hack-drains-11-58m-why-defi-trust-is-eroding/"}]},{"content":"Two days prior to the May 18, 2026 exploit, Verus released version 1.2.14-2, described by the project as an urgent and mandatory emergency update to address a vulnerability. As of the time of reporting by multiple outlets, Verus had not publicly clarified whether the vulnerability patched in v1.2.14-2 was related to the bridge flaw that was subsequently exploited. The proximity of this update to the attack raised questions among security researchers about whether the exploited vulnerability was known prior to the attack, though no confirmed link between the two has been established in available public reporting.","heading":"Pre-Exploit Emergency Update","severity":"high","sources":[{"credibility":2,"name":"Verus suffers $11.5M hack as bridge-related exploits hit $329M in 2026 - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"},{"credibility":2,"name":"Verus Bridge Exploited: $11.58M Drained, Attack Still Live - CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/verus-bridge-exploited-12m-drained-attack-still-live/"}]},{"content":"Following the exploit, the Verus team chose to negotiate directly with the attacker rather than pursue immediate legal channels. The team offered a structured recovery arrangement: the attacker would return 4,052.4 ETH to a Verus treasury wallet within 24 hours and retain 1,350 ETH (approximately $2.8 million) as a recognized bounty. The team also committed to halting ongoing investigations and forgoing further legal or extralegal action against the attacker provided the terms were met. The attacker complied, returning 4,052.4 ETH (approximately $8.5 million) on or around May 22, 2026. The team described the arrangement as a structured return process rather than a legal escalation. The Verus development team clarified that this bounty arrangement operated independently from traditional law enforcement channels. The bounty amount retained by the attacker represented approximately 25% of the total stolen value. Community and industry response was mixed, with some developers supporting negotiated recoveries as practical risk management while critics argued such deals may incentivize future exploit attempts.","heading":"Post-Exploit Bounty Negotiation and Fund Recovery","severity":"high","sources":[{"credibility":2,"name":"Verus Hacker Returns $8.5M After Bridge Exploit Deal - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/22/verus-hacker-returns-8-5m-after-bridge-exploit-deal/"},{"credibility":2,"name":"Verus Bridge Hack Resolved: 4,052 ETH Recovered Through $2.8M Bounty Deal - Blockonomi","type":"news_article","url":"https://blockonomi.com/verus-bridge-hack-resolved-4052-eth-recovered-through-2-8m-bounty-deal"},{"credibility":2,"name":"Verus Bridge Exploiter Returns Majority Of Stolen Funds Following Structured Bounty Deal - NullTX","type":"news_article","url":"https://nulltx.com/verus-bridge-exploiter-returns-majority-of-stolen-funds-following-structured-bounty-deal-with-project-team/"}]},{"content":"According to on-chain analytics firm PeckShield, the Verus incident brought the cumulative total of bridge-related exploit losses in 2026 to approximately $328.6 to $329 million across eight major incidents in the first five months of the year. Bridge-related losses accounted for approximately 41% of all tracked DeFi exploit losses in that period. Other notable 2026 bridge and DeFi incidents cited by analysts include the rsETH hack in April 2026 ($290 million) and the Kelp DAO incident ($293 million). Security researchers noted that the Verus bridge vulnerability was comparable in class to the 2022 Wormhole and Nomad exploits, both of which also failed to properly bind cross-chain message values to on-chain payouts.","heading":"Broader Context: 2026 Bridge Exploit Landscape","severity":"medium","sources":[{"credibility":2,"name":"Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M - Protos","type":"news_article","url":"https://protos.com/bridge-hacks-back-in-vogue-as-verus-exploit-brings-2026-total-to-329m/"},{"credibility":2,"name":"Verus suffers $11.5M hack as bridge-related exploits hit $329M in 2026 - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"}]},{"content":"No independently published third-party security audit of the Verus-Ethereum bridge smart contracts has been identified in available public sources as of June 2026. The Verus core protocol codebase has received security patches over time, including mitigations for network denial-of-service vulnerabilities ported from Zcash updates (addressed in v1.2.4). The bridge's checkCCEValues function lacked a check for value equivalence between cross-chain inputs and outputs — a deficiency that security researchers estimated could have been remediated with approximately 10 lines of code. The absence of a publicly available bridge audit represents a notable gap for a bridge that held over $11 million in user assets.","heading":"Security Audit History","severity":"high","sources":[{"credibility":2,"name":"Explained: The Verus-Ethereum Bridge Hack (May 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-verus-ethereum-bridge-hack-may-2026"},{"credibility":1,"name":"VerusCoin v1.2.4 Release Notes - GitHub","type":"official","url":"https://github.com/VerusCoin/VerusCoin/releases/tag/v1.2.4"}]}],"sources_used":[{"credibility":2,"name":"Explained: The Verus-Ethereum Bridge Hack (May 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-verus-ethereum-bridge-hack-may-2026"},{"credibility":1,"name":"Verus-Ethereum bridge loses $11 million as hackers keep targeting cross-chain infrastructure - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"credibility":2,"name":"Verus-Ethereum bridge hack drains $11.58M - Why DeFi trust is eroding - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/verus-ethereum-bridge-hack-drains-11-58m-why-defi-trust-is-eroding/"},{"credibility":2,"name":"Verus suffers $11.5M hack as bridge-related exploits hit $329M in 2026 - Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"},{"credibility":2,"name":"Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M - Protos","type":"news_article","url":"https://protos.com/bridge-hacks-back-in-vogue-as-verus-exploit-brings-2026-total-to-329m/"},{"credibility":2,"name":"Verus Hacker Returns $8.5M After Bridge Exploit Deal - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/22/verus-hacker-returns-8-5m-after-bridge-exploit-deal/"},{"credibility":2,"name":"Verus Bridge Hack Resolved: 4,052 ETH Recovered Through $2.8M Bounty Deal - Blockonomi","type":"news_article","url":"https://blockonomi.com/verus-bridge-hack-resolved-4052-eth-recovered-through-2-8m-bounty-deal"},{"credibility":2,"name":"Verus Bridge Exploiter Returns Majority Of Stolen Funds - NullTX","type":"news_article","url":"https://nulltx.com/verus-bridge-exploiter-returns-majority-of-stolen-funds-following-structured-bounty-deal-with-project-team/"},{"credibility":2,"name":"Verus Bridge Exploited: $11.58M Drained, Attack Still Live - CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/verus-bridge-exploited-12m-drained-attack-still-live/"},{"credibility":1,"name":"Verus Official Website","type":"official","url":"https://verus.io/"},{"credibility":1,"name":"Introduction to Verus - PBaaS Documentation","type":"official","url":"https://docs.verus.io/overview/"},{"credibility":2,"name":"Michael Toutonghi - Crunchbase","type":"other","url":"https://www.crunchbase.com/person/mike-toutonghi"},{"credibility":1,"name":"VerusCoin GitHub Organization","type":"official","url":"https://github.com/VerusCoin"},{"credibility":1,"name":"VerusCoin v1.2.4 Release - GitHub","type":"official","url":"https://github.com/VerusCoin/VerusCoin/releases/tag/v1.2.4"}],"summary":"Verus Protocol is an open-source, fair-launched blockchain protocol founded in May 2018 by developer Michael Toutonghi that offers a hybrid proof-of-work/proof-of-stake consensus, decentralized identity (VerusID), and Public Blockchains as a Service (PBaaS) infrastructure. On May 18, 2026, the Verus-Ethereum cross-chain bridge was exploited for approximately $11.58 million due to a validation gap in bridge logic that allowed an attacker to claim vastly more value on Ethereum than was deposited on the Verus side. The Verus team subsequently negotiated a partial recovery, with the attacker returning 4,052.4 ETH (approximately $8.5 million) in exchange for a 1,350 ETH bounty (~$2.8 million) and a commitment to halt investigations.","timeline":[{"date":"2018-05-21","event":"Verus Protocol launched with no ICO, no premine, and no developer fees.","source":"Verus Milestones - verus.io","source_url":"https://www.verus.io/milestones"},{"date":"2023-05-01","event":"Full Public Blockchains as a Service (PBaaS) functionality deployed on Verus mainnet.","source":"Medium - Verus Coin","source_url":"https://medium.com/veruscoin/introducing-public-blockchains-as-a-service-pbaas-the-revolutionary-layer-0-1-protocol-79c069ffe178"},{"date":"2026-05-16","event":"Verus released emergency update v1.2.14-2, described as an urgent and mandatory fix for a vulnerability. Relationship to the subsequent bridge exploit has not been publicly confirmed.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"},{"date":"2026-05-18","event":"Verus-Ethereum bridge exploited at approximately 00:54 GMT. Attacker submitted a transfer blob with ~$0.01 VRSC input and claimed $11.58 million in tBTC, ETH, and USDC. Stolen assets converted to 5,402.4 ETH and held at 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.","source":"CoinDesk / Halborn / Protos","source_url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"date":"2026-05-18","event":"Approximately 12 hours after the exploit, most Verus block-generating nodes took themselves offline, halting the Layer 1 chain.","source":"Protos","source_url":"https://protos.com/bridge-hacks-back-in-vogue-as-verus-exploit-brings-2026-total-to-329m/"},{"date":"2026-05-22","event":"Verus team reached a bounty agreement with the attacker. Attacker returned 4,052.4 ETH (~$8.5 million) and retained 1,350 ETH (~$2.8 million) as an agreed bounty. Team committed to halt investigations and not pursue legal action.","source":"Crypto Times / Blockonomi","source_url":"https://www.cryptotimes.io/2026/05/22/verus-hacker-returns-8-5m-after-bridge-exploit-deal/"}]},"v":1}