From Discord: We can confirm that 4052.4 ETH (around 75% of the stolen funds) have been returned to the funds return address by the bridge exploiter, and are now controlled by members of the Verus community. While we are hard at work on a plan to reintegrate those funds into the bridge and restore DeFi functionality, we would like to address a few key questions we have been seeing across public discussion and social media, invite everyone to participate in the community meeting taking place today at 19:00 UTC time [on Discord], discuss the plan going forward, and reflect a little on the events of the last few days. Firstly, we would like to announce that we will be following our end of the publicly posted terms: we are ceasing any investigation we were previously conducting, and will not be pursuing the exploiters further or pressing charges. The 1350 ETH has been moved to another address by the exploiter, is a bounty and not viewed by us as stolen funds. To those asking how we came to the amount offered as the bounty, it was an amount that, along with the reduction of risk to them by considering this a bounty, we believed would be most likely to result in a return of funds. Out of respect for our end of the terms, we will not be engaging in discussion regarding the negotiation process. Secondly, we need to acknowledge and learn from this experience as a community broadly, if we want a long and prosperous future for Verus as a project. Our success or challenges affect everyone in the community, and others indirectly through them. As mentioned in our breakdown of the exploit, it was both sophisticated and statistically fortunate. However, it was ultimately possible due to a chained together series of difficult to exploit software bugs, that on their own, could be considered minor. The few community developers that could have detected and fixed those issues before this event have been working, oftentimes as volunteers, tirelessly now for more than 8 years to bring the vision behind Verus to fruition. Although a small and appreciated number of core community members have listened and understood repeated attempts to sound the alarm about the need to fund development and continuous strengthening of a protocol as revolutionary as Verus, these discussions have often been overshadowed by marketing or other priorities first, even though the protocol, with unique capabilities and robustness, along with a breadth of core contributors make up the bedrock on which everything rests. Development donations even just to Valu's matching (Valu has offered to match up to 20k $ per month), a funded bug bounty program, or one or more extra pairs of skilled eyes developing on the Verus codebase may have enabled identifying and preventing this issue before it began, and would have cost a lot less than 3 million $. Although not exciting to hear or discuss, funding solid, sustainable development is as important as ever in the coming age of AI enabled exploits and quantum computing. Finally, we would also like to mention that those looking to market or advertise themselves or their services (however well intentioned), whether that is auditing, investigation, etc. refrain from doing so in today's community meeting, and reach out to @lyonsnicholas1 ["Consilience" on Discord] directly instead. Today will be a chance to discuss how we plan to move forward from this event, and address any further questions regarding the incredibly stressful last few days. Although we can all breath a bit easier with the funds return having taken place, the hardest work to do to get Verus back on track is still ahead of us. Thank you all and we hope to see you here in the Verus Discord for today's community meeting at 19:00 UTC.

The returned Verus bridge funds have now been converted back into the original currencies for reintegration into the Verus network. The Verus recovery address currently holds 1,194.86 ETH (73.51% recovered), 76.0321 tBTC (73.41% recovered), and 147,727.67 USDC (100% recovered as discussed in the community meetings). One issue we noticed is that some DEX interfaces have blocked the Verus return/recovery address. This address is not the attacker’s wallet. It is the community recovery address holding community funds. We ask @Uniswap (your compliance department has been notified, we are still waiting for a response) @1inch @blockaid_ to review and correct the classification of the Verus recovery address (0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74).

 We ask the community to help by tagging relevant DEX interfaces, wallets, block explorers, and tracking services below, so the Verus recovery address is correctly recognized across the ecosystem. 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74

🚨 紧急 | Arisk 安全警报 🚨 ⚠️ Verus-Ethereum Bridge 被利用，1158 万美元已提取 攻击者已成功从 Verus-Ethereum Bridge 中提取约 1158 万美元 资产（含 1625 ETH 103.57 tBTC v2 部分 USDC），后续全部换成 5402 ETH。 📌关键地址（请勿交互）： • 攻击者 EOA： 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 • 资金归集地址（资金仍在）： 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 📌攻击交易： etherscan.io/tx/0x6990f01720… 📌合约： • 0x71518580f36FeCEFfE0721F06bA4703218cD7f63 Arisk 将持续跟踪后续动向，有新进展第一时间更新。 访问➡️ arisk.io 免费体验毫秒级地址风险监测、地址监控等功能 关注📷 @Arisk_io 获取及时、准确的链上威胁情报！ #Verus #DeFi #BridgeExploit #区块链安全 #CryptoSecurity #Arisk #DeFiHack #AML

Prayers answered 🙏 The requested amount, within the deadline set by the Verus community, has been returned. The way this community came together in such a moment is extraordinary. We have remarkable and wonderful people from all over the world. $VRSC etherscan.io/address/0xF9AB2…

To the Verus<->Ethereum Bridge Exploiter: Members of the Verus community and its developers have discussed a set of terms, detailing the size of the bounty, obligations from your side and ours, and how the funds can be returned. 1. We have agreed that the bounty amount will be 1350 ETH. If you adhere to these terms, we will consider these 1350 ETH a reward for your exposing of a vulnerability, and we would publicly request to all interested parties that the 1350 ETH be considered your legitimate bounty. 2. If the funds are returned to the address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74, minus 1350 ETH, meaning a total return of 4052.4 ETH within 24 hours after this post, Verus community members and developers, and everyone we currently know to be involved in investigating the event, will halt any existing investigations into you to the best of our ability, and we will not press charges or pursue extralegal consequences. We will consider the address that holds 1350, either as change or if still in the source as the bounty address. If you return a total of 4052.4 ETH to the address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74 within the 24 hours specified above, we will understand that as your agreement to these terms, and we will uphold our stated agreement to cease further investigation into you, not initiate new investigation of you, not press charges, and not seek additional consequences. We will also post a public acknowledgement, referencing the 1350 ETH and publicly state that we consider those funds to be your bounty. If further communication is required to come to an agreement, please refer to the following contact points, as mentioned in previous messages: email: verus.bridge@proton.me z-address on Verus (for encrypted memo communication): zs1wl6e6qe8z8n8t8jp4qxek5ey53t9xajzwxc75gj72wrcwuq6ha4mdg0v8p6z8wpkz2fhxrqlayc For confirmation that this offer is coming from the Verus Community, you can see the same message posted on the Verus Discord, in the announcements channel.

Announcement regarding the attack on the Verus-Ethereum Bridge:

Verus verus-coin:native risk management posture pre-May 15: 🔴Security: No audits, bounty, monitoring, prevention. 🟠Financial: Thin on supply analysis, treasury, locker discipline. 🟠Operational: No certifications. Thin documentation. 🟠Reputational: No incident response track record. No insurance. The data is based on the disclosed controls by the project. Act accordingly to your risk tolerance.