Verus Cross-Chain Bridge Exploit Drains $11.58M in Single Attack

A forged cross-chain transfer drained $11.58 million from the Verus-Ethereum bridge on May 18, 2026, exposing a missing validation check that security researchers say required less than $10 and roughly 10 lines of code to fix.

How a $10 Transaction Unlocked $11.58 Million

Web3 security firm Blockaid flagged the exploit on May 18, 2026, identifying it as an active, ongoing attack against the bridge, which facilitates asset transfers between the Verus blockchain and Ethereum.

The attacker executed the exploit by creating an export transaction on the Verus blockchain with a value of just 0.02 VRSC. 

The export transaction’s payload committed to the cryptographic hash of a payload that paid out a massive amount of cryptocurrency, but paid zero for the exported source coins. 

The Verus blockchain accepted the transaction. Its notaries signed off without detecting the mismatch.

When the attacker submitted the submitImports() function on Ethereum, the bridge executed the transaction that drained around 1,625 ETH, 103 tBTC, and 147,000 USDC from the protocol’s reserves.

Blockaid attributed the flaw to “a missing source-amount validation in checkCCEValues,” describing it as fixable with approximately 10 lines of Solidity code. 

A second firm, ExVul, reached the same conclusion independently. 

The contract correctly verified the root hash of the notarized Verus blockchain state, the Merkle proof, and the keccak256 hash of the transaction. 

It did not verify that the total value of coins exported from Verus matched the total value to be paid out on Ethereum.

According to Blockaid, the suspected root cause resembles vulnerabilities previously seen in the 2022 Wormhole and Nomad bridge exploits, where a gap existed between source-chain value commitments and destination-chain payouts.

How the Attacker Prepared and Moved the Funds

The attacker’s wallet was initially funded through Tornado Cash, the crypto mixing service often associated with anonymous transactions. 

The address received 1 ETH around 14 hours before the exploit occurred.

PeckShield reported that the attacker subsequently swapped the stolen assets for 5,402 ETH, worth about $11.4 million. 

The consolidated funds remained in the drainer wallet at address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 as of reporting.

On-chain analytics account Lookonchain corroborated the Blockaid alert, reporting that the exploiter had already converted all stolen assets into 5,402 ETH, valued at roughly $11.5 million at current prices.

Verus Suspends Network, Offers Bug Bounty

Verus confirmed on X that its cross-chain bridge had been attacked, resulting in the theft of ETH, USDC, and tBTC from the contract on the Ethereum chain. Other bridged assets were unaffected. 

Most block-producing nodes voluntarily went offline after experiencing the cascading effects of the attack.

“Developers are investigating exactly how the attack was carried out and determining next steps,” the team stated. 

The project also offered a bug bounty if the attacker returns the funds, though the rapid conversion of stolen assets to ETH suggests no interest in negotiation.

Where the Verus Attack Fits in 2026’s Mounting Bridge Losses

Blockchain security monitoring platform Blockaid suspects the root cause is similar to the 2022 hacks of the Wormhole and Nomad bridges. 

The firm estimates the vulnerability cost the attacker just $10 to exploit.

PeckShield reported that at least eight major bridge-related security breaches were recorded between February and mid-May 2026, resulting in combined losses estimated at approximately $328.6 million.

The Verus incident landed just two days after THORChain confirmed a $10 million exploit of its own. 

Before that, April had already produced two of the biggest hacks of the year: a $280 million Drift Protocol exploit and a $292 million Kelp exploit. 

In the first quarter of 2026 alone, crypto attackers stole more than $168.6 million from 34 decentralized finance protocols.

Bridge-related losses now account for approximately 41% of all tracked DeFi exploit losses. 

What Comes Next

• Bridge status: The Verus network remains suspended as of May 22, 2026. Users should avoid interacting with the bridge until the team publishes a post-mortem and security update via verus.io.
• Fund tracing: Security firms including Blockaid, PeckShield, and Lookonchain continue monitoring the drainer wallet for any fund movement.
• Code fix: ExVul recommended cross-chain proof systems to directly tie transfer execution to authenticated payload data before funds are released, along with stricter payload validation and emergency pause mechanisms for unusual outbound transfers.

Attacker link to prior exploit: On-chain analysis links the attacker to the March 2025 1inch Fusion V1 incident.