Key Takeaways:
- The attacker successfully exploited a weakness in the cross-chain validation process and stole approximately $11.58 million from Verus’ ETH bridge.
- According to the hacker, the transaction fees for VRSC were close to $10, and drained 1,625 ETH, 103 tBTC and 147,000 USDC.
- According to the security firms, the exploit is similar to the Wormhole bridge and the Nomad bridge hacks, which were made in the same manner.
Cross-chain bridge security has again been thrust into the spotlight after a new DeFi attack which resulted in the loss of over $11 million from Verus-Ethereum bridge. According to the firms involved in the incident, it was not a result of stolen keys or broken signatures, but rather an economic value invalidation flaw that was present at the critical stage of the bridge’s economic value cross-chain validation process.
Verus Bridge Exploit Empties $11.58 Million
According to onchain security platform Blockaid, there is an ongoing exploit targeting the Verus-Ethereum bridge. The protocol’s reserves were allegedly drained of about 1,625 ETH, 103 tBTC and nearly 147,000 USDC.
🚨 Community alert:
Blockaid’s exploit detection system has identified an on-going exploit on the @veruscoin Verus-Ethereum Bridge (https://t.co/HEwYZqFEfC).
~$11.58M drained so far.More details in🧵
— Blockaid (@blockaid_) May 18, 2026
The researchers also estimate that the stolen funds were subsequently exchanged for more than $11.4 million worth of USD in the market place in the form of approximately 5,402 ETH.
It’s said that 1 ETH was deposited into the attacker’s wallet via Tornado Cash just prior to the attack, a technique commonly used in large attacks to cover transaction tracks in DeFi smart contracts.
Read More: $5.87M Ethereum Exploit Hits TrustedVolumes as 1inch Denies Any Protocol Breach
How the Exploit Worked
Security analysts say the exploit stemmed from a missing validation check inside the bridge’s import verification logic.
Cross-Chain Message Passed Validation Without Backing Assets
The bridge has been able to successfully test notarized state roots, Merkle proofs, and hash bindings, Blockaid said. But it supposedly did not verify the existence of sufficient collateral for the payouts made on Ethereum to cover the corresponding chain operation.
Apparently a low-value transaction called Verus was created that contained a valid payout hash and set the totals of the source-side assets to almost zero. As the exported payload remained the same cryptographic hash as that expected, the bridge released the transfer request and released reserve assets.
DeFi Bridge Attacks Are Accelerating Again
It’s the latest in a series of security issues that occurred on bridges in 2026. As crypto protocols keep adding and enhancing interoperability functions, cross-chain infrastructure has emerged as yet another top attack surface in the blockchain world.
Read More: $7.6M DeFi Exploit Rocks Rhea Finance as Hackers Manipulate Pools in Hours
If the scale of liquidity reserves held by security firms is not sufficiently large, it may be due to the fact that the verification logic between the different chains in the bridge system is extremely complex. That combination has proven to be a favorite among targets for attacks many times.
You should also note that the attack has come on the heels of another large cross-chain security breach, where THORChain was forced to admit to its own $10 million.
As per security blockchain data, DeFi hacks have already garnered hundreds of millions of dollars in losses so far this year, which includes bridge hack protocols.
