Verus-Ethereum Bridge Drained Of $11.5M Via Forged Transfer Exploit

On May 18, 2026, blockchain security firm Blockaid flagged an active exploit on the Verus-Ethereum bridge at approximately 00:54 GMT. An attacker submitted a forged cross-chain import message to the bridge contract, exploiting a critical validation gap that allowed the unauthorized withdrawal of reserve assets. The bridge was drained of 1,625 ETH, 103.6 tBTC, and approximately 147,000 USDC. The attacker subsequently swapped all stolen assets into roughly 5,402 ETH (~$11.5 million) via Uniswap, consolidating the proceeds into a single wallet. The root cause was a fundamental flaw in the bridge's cross-chain message verification. According to security researchers at PeckShield and GoPlus, the bridge successfully validated signatures, state roots, and Merkle proofs from the Verus chain, but critically failed to confirm whether the assets being requested on Ethereum were actually backed by sufficient value on the Verus side. The attacker first sent a low-value transaction to the bridge contract (0x71518580f36FECEffE0721F06BA4703218CD7F63 on Ethereum) before invoking a function that triggered a batch transfer of reserve assets to the drainer wallet. GoPlus described the vulnerability as likely involving cross-chain message validation forgery, withdrawal logic bypass, or an access control flaw. The attacker's primary wallet (0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 on Ethereum) was funded with 1 ETH via Tornado Cash approximately 14 hours before the exploit, a common pattern in premeditated DeFi attacks designed to obscure the attacker's origin. The consolidated stolen funds were moved to a secondary wallet (0x65Cb...C25F9 on Ethereum), which held the full 5,402 ETH proceeds as of the latest reporting. PeckShield confirmed the breakdown of stolen assets and the swap path through decentralized exchanges. As of publication, Verus has not released an official post-mortem or detailed incident report. Community discussions about potential reimbursement and insurance coverage have begun, but no formal recovery plan has been announced. The bridge remains paused. The absence of a timelock mechanism or multi-signature requirement on the bridge's withdrawal functions amplified the attack's impact, allowing the entire drain to occur in a single sequence of transactions. Users who interacted with the Verus-Ethereum bridge should check their wallet activity for any unauthorized transactions and avoid interacting with the bridge contract until an official all-clear is issued. This incident reinforces the importance of verifying that cross-chain bridges validate not just message authenticity but also the economic backing of cross-chain claims. Bridge users should favor protocols that employ multiple independent verification layers and maintain transparent security audits. The Verus bridge exploit joins THORChain ($10.8M) and KelpDAO ($292M) in a wave of bridge-related incidents in 2026, collectively draining over $300 million. Cross-chain bridges remain among the highest-risk components in DeFi infrastructure, accounting for approximately $2.9 billion in cumulative losses historically.