Verus Bridge Exploiter Returns $8.5M After Bounty Deal - News 2026

— By Whatsertrade in news

Verus Bridge Exploiter Returns $8.5M After Bounty Deal - News 2026

The Verus-Ethereum bridge attacker has returned 4,052.4 ETH (~$8.5M, 75%) after a negotiated bounty deal. Bridge contract 0x71518580f36feceffe0721f06ba4703218cd7f63. Confirmed by CertiK and PeckShield. Here is the full timeline and what users should learn.

The attacker behind the Verus-Ethereum bridge exploit on May 18, 2026 has returned the majority of the stolen funds after accepting a negotiated bounty deal. According to on-chain confirmations and security firm postings from CertiK and PeckShield, the exploiter sent 4,052.4 ETH (approximately $8.5 million) back to the VerusCoin team, representing roughly 75% of the original ~$11.4 million drained from the bridge contract.

The compromised contract, 0x71518580f36feceffe0721f06ba4703218cd7f63, served as the cross-chain bridge between Verus and Ethereum and was the primary egress for assets moving between the two networks. The exploit and subsequent bounty negotiation mark one of the larger successful white-hat recoveries of the cycle, though the keep of ~$2.9 million by the attacker as a "bounty" continues to fuel debate over the ethics and incentives of these settlements.

Quick take: 4,052.4 ETH (~$8.5M) returned, ~$2.9M kept by attacker as bounty. Bridge contract 0x71518580f36feceffe0721f06ba4703218cd7f63. Confirmed by CertiK, PeckShield, and CoinDesk reporting. Verus team confirmed the settlement publicly.

Timeline of the Verus bridge exploit

  • May 18, 2026: Verus-Ethereum bridge contract drained for approximately $11.4M in ETH and bridged assets. Initial alerts flagged by on-chain monitoring within minutes of the first malicious transaction.
  • May 18 to May 22: VerusCoin team confirmed the exploit, paused bridge operations, and opened a public negotiation channel with the attacker, offering a bounty for return of funds and assurances of no legal action.
  • May 23 to May 24: Attacker signaled willingness to engage via on-chain messages. Terms negotiated for partial return.
  • May 25, 2026: Attacker transferred 4,052.4 ETH back to a VerusCoin team-controlled address, completing the settlement at approximately 75% return of stolen value.

Technical details of the bridge exploit

The exploit followed a pattern increasingly common in cross-chain bridge incidents during 2024 to 2026: a flaw in the bridge's message-verification or asset-release logic allowed an attacker to mint or withdraw assets without a corresponding lock or burn on the counterpart chain. Security postmortems from PeckShield and CertiK indicated that the Verus bridge contract permitted an unauthorized state update under specific edge-case conditions, allowing the attacker to drain ETH and bridged tokens in a sequence of large transactions.

The drained contract:

Compromised contract address

0x71518580f36feceffe0721f06ba4703218cd7f63

Network: Ethereum mainnet

Function: Verus-Ethereum bridge endpoint

Total initial losses were estimated at approximately $11.4 million, denominated primarily in ETH with smaller positions in bridged Verus assets. The attacker consolidated the drained funds into a small number of holding wallets before bridging or swapping any portion.

How the bounty negotiation worked

The VerusCoin team opted for a public negotiation strategy rather than immediately handing the case to law enforcement or attempting on-chain freezing through centralized stablecoin issuers. The pattern they followed is by now well-established for crypto bridge recoveries:

  1. Public offer: Team announces a fixed bounty percentage in exchange for return of the bulk of funds and a commitment to no legal action.
  2. On-chain communication: Both sides exchange signed messages through contract calls or transaction input data to confirm intent.
  3. Test transfer: Attacker often sends a small return as proof of cooperation.
  4. Full settlement: Larger return transaction completes the deal.

In the Verus case, the attacker kept roughly 25% of the drained value, totaling around $2.9 million. This is on the higher end of bounty percentages seen in recent recoveries, where the typical settlement falls between 5% and 15%. The relatively favorable terms for the attacker reflect both the technical leverage they held and the urgency for Verus to recover user-facing liquidity quickly.

Sources and external verification

  • CertiK Alert: Confirmed the return of 4,052.4 ETH via @CertiKAlert on-chain monitoring.
  • PeckShield: Independent confirmation via @peckshield, with on-chain transaction references.
  • CoinDesk: Mainstream coverage corroborated the bounty settlement and timeline.
  • VerusCoin team: Public confirmation through the project's official communications channels.
  • Etherscan: All settlement transactions are visible on the public Ethereum blockchain, indexed against the bridge contract address.

Market impact and broader context

The Verus incident sits within a broader 2026 pattern where bridge exploits have continued to dominate the loss ledger for crypto security incidents, even as smart-contract auditing tooling has matured. Cross-chain message verification remains one of the hardest problems in production crypto infrastructure, and most successful bridge attacks exploit either signer compromise, replay vectors, or edge-case verification logic that survived static analysis but failed under live conditions.

For VerusCoin specifically, the partial recovery is positive for user sentiment but the project still faces meaningful operational headwinds. Bridge operations were paused during the negotiation period, breaking the user flow for anyone moving assets between Verus and Ethereum, and any redeployment will require a full audit cycle and likely a migration to a new bridge contract.

Risk implications for bridge users

Risk note: Bridge exposure remains one of the highest-tail-risk categories in DeFi. Even bridges that have operated cleanly for years are not immune. Users moving size through any cross-chain bridge should treat the bridge contract itself as the highest-risk leg of any multi-chain strategy and prefer atomic-swap or trust-minimized alternatives where possible.

Specific lessons users can take from the Verus incident:

  • Bridge concentration risk: Avoid leaving long-tail assets parked in a bridge contract for extended periods. The exposure window is the holding window.
  • Monitor team response capability: Bridges run by responsive teams with public communication channels recover funds more often than those run by anonymous or unresponsive teams.
  • Diversify bridge usage: Spreading transfers across multiple bridges over time reduces single-contract exposure for active users.
  • Watch for redeployment audits: Do not return to a compromised bridge until the team publishes an independent audit and a clear postmortem identifying root cause.

Where to track Verus and related assets

For users still holding Verus-bridged assets or monitoring the project's recovery, on-chain pair data and market analytics are available through standard DeFi tooling. DEXTools provides live pair tracking and security scanning for tokens across Ethereum and other supported chains. Watching wrapped or bridged Verus pair liquidity and holder distribution is a leading indicator for how quickly trust returns to the project.

The bridge contract address remains visible on Etherscan, where users can audit the full history of the exploit and recovery transactions independently.

How this fits in the 2026 bridge-exploit pattern

The Verus incident is the latest entry in a year that has seen bridge exploits remain a dominant category of crypto loss events even as audits, formal verification, and runtime monitoring have all matured. The recurring pattern across these incidents is that the bug class is rarely a fresh discovery; it is almost always a known anti-pattern that survived audit either because the audit scope did not cover the specific path or because production conditions diverged from the audited specification.

What distinguishes the successful recoveries from the total losses in 2026 is not the audit quality per se. It is the speed and credibility of the team's post-incident response. The Verus team's choice to negotiate publicly and accept a meaningful bounty haircut delivered a partial recovery in roughly one week. Teams that have attempted to recover through silent on-chain countermeasures, legal threats, or denial have consistently fared worse and ended up with both lower recovery rates and lasting reputational damage.

For users evaluating bridge risk going forward, the operational signal is at least as important as the audit certificate. Teams with public communications channels, multi-sig governance, transparent custody, and demonstrated incident-response playbooks are systematically lower risk than teams that publish a single launch announcement and then go quiet.

What the Verus settlement does not solve

A 75% recovery is a good outcome relative to historical norms, but it does not restore the system to its pre-exploit state. The remaining ~$2.9 million sits with the attacker as a permanent loss to the protocol or its users, depending on how the team decides to socialize the impact. The bridge contract itself remains compromised in the public mind regardless of any future audit, which means a redeployment under a new address is effectively mandatory.

The longer-term question for Verus is whether the bridge's user base returns at scale once a redeployment is live. Empirically, bridges that suffer exploits and rebuild often see permanent reductions in throughput even after technical fixes ship. Users have memory, and competitive bridges with cleaner histories often capture the marginal flow that would have gone to the recovered bridge.

Frequently asked questions

How much was stolen from the Verus bridge?

Approximately $11.4 million in ETH and bridged assets was drained from the Verus-Ethereum bridge contract on May 18, 2026.

How much was returned by the exploiter?

The attacker returned 4,052.4 ETH, worth approximately $8.5 million, representing roughly 75% of the original stolen value. The remaining ~$2.9 million was kept as a negotiated bounty.

What is the address of the compromised contract?

The Verus-Ethereum bridge contract address is 0x71518580f36feceffe0721f06ba4703218cd7f63 on Ethereum mainnet.

Who confirmed the recovery?

The return was confirmed independently by CertiK, PeckShield, and through CoinDesk reporting, with all settlement transactions visible on Etherscan.

Is the Verus bridge safe to use now?

The bridge contract should be considered compromised until the VerusCoin team publishes a full postmortem, deploys a new audited bridge contract, and confirms operations have resumed under the new deployment. Users should not interact with the original contract.

Related Guides