Back

$11.58M Exploit of Verus-Ethereum Bridge Exposes Cross-Chain Vulnerabilities

Severity: High (Score: 66.9)

Sources: Mexc.Co, coinpaper.com, Kucoin, Thedefiant, Coinfomania

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: bridge, attacker, verus-ethereum, hack, verus, explained, ethereum

Severity indicators: pla

Summary

On May 18, 2026, the Verus Ethereum Bridge was exploited, resulting in the theft of approximately $11.58 million in assets, including ETH, tBTC, and USDC. The attack was identified by Blockaid, which reported that the exploit was still active, allowing the attacker to drain funds continuously. The vulnerability stemmed from inadequate validation checks in the bridge's transaction logic, allowing a mismatch between input and output amounts. Investigators noted that the attacker initially funded their wallet through Tornado Cash shortly before the exploit. The incident highlights ongoing security issues in cross-chain infrastructure, which has been a frequent target for attackers in the DeFi space. Security firms are analyzing the exploit to determine the exact methods used and potential weaknesses in the bridge's design. The situation remains critical as the bridge has not yet been fully secured. Key Points: • The Verus Ethereum Bridge was exploited, leading to a loss of $11.58 million. • The attack exploited poor validation in transaction logic, allowing mismatched inputs and outputs. • The ongoing exploit raises significant concerns about the security of cross-chain bridges in DeFi.

Detailed Analysis

**Impact** The exploit targeted the Verus-Ethereum cross-chain bridge, resulting in approximately $11.58 million in losses, including assets such as 103.6 tBTC, 1,625 ETH, and 147,000 USDC. The attack affects users of the Verus and Ethereum ecosystems, primarily within the decentralized finance (DeFi) sector. The vulnerability exposes locked liquidity pools on the bridge, risking further financial damage while the exploit remains active. This incident adds to the growing number of cross-chain bridge attacks impacting multi-chain DeFi platforms globally. **Technical Details** The attacker exploited a validation logic flaw in the bridge’s smart contracts, where neither the Verus nor Ethereum side verified that the input amount matched the payout amount. The exploit involved submitting a transfer blob with valid signatures but with a mismatch of $0.01 input versus $11.58 million output, bypassing the missing check in the Ethereum contract’s `checkCCEValues` function. The attacker’s wallet was funded via Tornado Cash shortly before the attack, and the exploit likely leveraged weaknesses in cross-chain message validation, signature forgery, and withdrawal logic bypass. The attack is ongoing, with repeated unauthorized withdrawals detected. **Recommended Response** Urgently apply patches to the bridge smart contracts to enforce strict input-output value validation on both chains, specifically implementing the missing `checkCCEValues` verification. Deploy real-time monitoring and alerting for abnormal transaction patterns and large withdrawals on the bridge contracts. Block and blacklist attacker wallet addresses identified (e.g., starting with “0x5aBb”) and monitor Tornado Cash-related funding sources. Maintain heightened vigilance on cross-chain bridge infrastructure and prepare incident response plans for rapid containment of similar exploits.

Source articles (8)

  • Explained: The Verus-Ethereum Bridge Hack (May 2026) — Halborn · 2026-05-18
    In May 2026, the Verus Protocol suffered a hack targeting its Verus-Ethereum cross-chain bridge. The attacker exploited poor validation on the bridge to steal an estimated $11.58 million. The root cau…
  • Is Usdc Safe An Analysis Of Its Stability And Security — coinpaper.com · 2026-05-18
    USDC, or USD Coin, is a very popular stablecoin in the world of cryptocurrency. It is designed to maintain a value equal to one U.S. dollar, making it attractive for those looking to avoid the volatil…
  • Proof Of Stake Vs Proof Of Work A Comprehensive Comparison — coinpaper.com · 2026-05-18
    The blockchain revolution, ignited by Bitcoin in 2009, introduced two dominant consensus mechanisms that determine how transactions are validated and new blocks are added to distributed ledgers: Proof…
  • Top Cross Chain Crypto Bridges — coinpaper.com · 2026-05-18
    The crypto world in 2026 isn’t just Bitcoin and Ethereum anymore — it’s a sprawling multi-chain ecosystem of interoperable blockchains. But these networks don’t naturally “talk” to each other. That’s…
  • Verus-Ethereum Bridge Loses $11.5M as Attacker Swaps All Funds to ETH — Coinfomania · 2026-05-18
    The Verus-Ethereum Bridge suffered an $11.58 million exploit due to a validation gap, with stolen funds consolidated into a single wallet. Summary is AI generated, newsroom reviewed. An exploit on the…
  • $11.58M Crypto DRAMA: Verus Ethereum Bridge Hacked, Blockaid Sounds Emergency Alarm — Mexc.Co · 2026-05-18
    A major security incident involving the Verus Ethereum Bridge has sent shockwaves through the decentralized finance (DeFi) ecosystem after blockchain security firm Blockaid reported an active exploit…
  • $11.58M Drained in Ongoing Exploit on Verus-Ethereum Bridge - "The Defiant" — Thedefiant · 2026-05-18
    An ongoing exploit on the Verus-Ethereum Bridge has drained $11.58 million in assets, according to security firm Blockaid. The vulnerability remains active, indicating the attack is still underway and…
  • Verus Ethereum Bridge Exploit Drains $11.5M in Crypto — Kucoin · 2026-05-18
    Investigators said the attacker drained assets including tBTC, ETH, and USDC before swapping the stolen funds into ETH. Security researchers also pointed out that the attacker’s wallet was initially f…

Timeline

  • 2026-05-18 — Verus Ethereum Bridge exploit reported: Blockaid detected an active attack on the Verus Ethereum Bridge, draining $11.58 million in assets.
  • 2026-05-18 — Investigation reveals attack method: Investigators found that the exploit involved poor validation checks on the bridge, allowing for asset mismatches.
  • 2026-05-18 — Ongoing security alerts issued: Blockaid warned users that funds interacting with the bridge remained at risk as the attack continued.

Related entities

  • Data Breach (Attack Type)
  • IoTeX Hack (Campaign)
  • TrustedVolumes Hack (Campaign)
  • Lighthouse (Campaign)
  • Verus (Company)
  • Verus Ethereum Bridge (Company)
  • Verus-Ethereum Bridge (Company)
  • Verus Protocol (Company)
  • Cardano (Company)
  • Ethereum (Company)
  • Lido Finance (Company)
  • China (Country)
  • Kazakhstan (Country)
  • Netherlands (Country)
  • South Korea (Country)
  • CWE-862 - Missing Authorization (Cwe)
  • beaconcha.in (Domain)
  • btc.com (Domain)
  • Financial (Industry)
  • Beacon Chain (Platform)
  • Bitcoin (Platform)
  • Ethereum Classic (Platform)
  • Prysm (Platform)
  • Rocket Pool (Platform)
  • Solana (Platform)
  • Tornado Cash (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed