Verus cross-chain bridge hacker returns 75% of stolen funds, the protocol team accepts settlement and does not pursue further action

Attacker Returns 4,052 ETH (about $8.5 million), Keeps 1,350 ETH as a bounty—Verus cross-chain bridge hack concludes with negotiations, but questions arise whether the bounty mechanism inadvertently encourages "attack first, negotiate later."
(Background: Verus Ethereum cross-chain bridge attacked! Blockaid monitoring: losses exceed $11.58 million)
(Additional context: After the THORChain hack, a recovery proposal was launched: protocol absorbs $8B loss, destroys attacker’s $RUNE)

Table of Contents

Toggle

• Negotiation results and fund restitution details
• Community reactions divided: a model or an incentive?
• Review: the history of cross-chain bridge attacks
• Bounty models: a double-edged sword for DeFi security

The incident involving the Verus Ethereum cross-chain bridge in mid-May saw significant progress after days of negotiations. The attacker voluntarily returned about 4,052 ETH today, worth approximately $8.5 million, accounting for 75% of the initial stolen 5,402 ETH (about $11.58 million). The protocol team Verus announced acceptance of the negotiation outcome, agreeing not to pursue legal action against the hacker, and regarded the remaining 1,350 ETH (about $2.8 million) as a white-hat bounty, a reward for discovering and revealing the vulnerability.

Negotiation results and fund restitution details

On-chain data shows that the returned funds have been transferred in batches from the attacker’s address to Verus’s official designated wallet. The full details of the negotiation have not been publicly disclosed, but the community generally believes this was a "bug bounty" style negotiation led by the Verus team. The attacker issued a statement on social media emphasizing they are not maliciously stealing, but hope this action will prompt the protocol to prioritize security, and expressed gratitude that the team was willing to resolve constructively.

Community reactions divided: a model or an incentive?

However, within the Verus community, opinions are divided. Some members see this as a model in DeFi security—reducing losses through negotiation, avoiding lengthy lawsuits, and ultimately recovering most of the funds; but others criticize it as a de facto encouragement of "attack first, negotiate later," allowing hackers to walk away with substantial rewards.

Review: the history of cross-chain bridge attacks

In fact, similar patterns are not unique to the Verus incident. In July 2021, THORChain was attacked, losing about $5 million; after public calls from the protocol, the attacker returned most of the funds and received a 10% bounty. In August of the same year, Poly Network was hacked for $610 million; under social pressure and negotiations, the hacker returned nearly all the funds, and the protocol did not press charges. These cases share a similar trajectory: attackers are not purely motivated by profit but also seek to "expose vulnerabilities," and protocols offer bounties as incentives to facilitate fund recovery.

In contrast, the early 2022 Wormhole bridge attack (loss of $320 million) and the Ronin bridge attack (loss of $620 million) ended very differently. Wormhole’s parent company Jump Crypto fully compensated the loss, and the attacker has not been caught; Ronin was confirmed to be the work of North Korea’s Lazarus Group, with funds difficult to recover, and only partial assets frozen by law enforcement. These events highlight that "bounty negotiations" are not a cure-all; whether an agreement can be reached often depends on the attacker’s identity and motives.

Bounty models: a double-edged sword for DeFi security

Bounty models are becoming increasingly complex in the DeFi security ecosystem. On one hand, they provide projects with a quick way to stop bleeding, especially in early stages lacking insurance mechanisms, effectively reducing final losses. On the other hand, this approach can create moral hazards, leading potential attackers to believe that returning most of the funds can exempt them from criminal liability and even earn substantial rewards. In the long run, DeFi protocols must return to fundamentals: strengthening code audits, deploying real-time monitoring, and implementing emergency pause mechanisms to reduce such incidents from the source.

Verus co-founder Michael J. Toutonghi stated on social media that this incident provided valuable lessons, and they plan to enhance the security of bridging contracts comprehensively, considering more robust bug bounty mechanisms so white-hat hackers can proactively report vulnerabilities before attacks occur. He emphasized that the primary goal of the protocol is always to protect user assets. While the outcome was not perfect, it represents the best possible solution under current circumstances.

As of press time, the Verus cross-chain bridge has resumed normal operation, with user funds secure. This incident leaves the industry with a thought-provoking case: when there is room for negotiation between attackers and protocols, can bounty models become a standard for DeFi security, or are they merely band-aids that fail to address root causes?