Verus-Ethereum Bridge Drained Of $11.6M Via Validation Flaw

On May 18, 2026, the Verus-Ethereum cross-chain bridge was exploited for approximately $11.58 million after an attacker discovered a critical validation flaw in the bridge contract's logic. Blockchain security firm Blockaid first detected suspicious activity around 00:54 GMT involving the Verus-Ethereum Bridge contract. The attacker drained 103.6 tBTC (Threshold Network tokenized bitcoin), 1,625 ETH, and approximately 147,000 USDC before swapping all assets into 5,402.4 ETH. The root cause was a fundamental validation gap: while both sides of the cross-chain bridge performed checks, neither side verified that the input amount on the Verus chain matched the payout amount on Ethereum. The attacker exploited this by creating an export transaction on the Verus blockchain with a value of just 0.02 VRSC, while the export transaction's payload committed to a cryptographic hash that authorized a massive payout on the Ethereum side. In essence, the bridge honored a multi-million dollar withdrawal request backed by a near-zero deposit — a classic source-destination value binding gap. The attacker wallet (0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 on Ethereum) was funded via Tornado Cash approximately 14 hours before the exploit, indicating premeditation. Stolen funds were moved to a consolidation wallet (0x65Cb8b128Bf6e690761044CCECA422bb239C25F9) where all assets were swapped into ETH. The Verus bridge contract (associated with 0x791af5fcb5198c9f469d66b934864dab43d7f044 on Ethereum) had been operating without the critical input-output verification check despite handling significant cross-chain liquidity. In a partial resolution, the Verus team posted an on-chain whitehat bounty message offering 1,350 ETH (approximately $2.8 million) if the exploiter returned the remaining 4,052 ETH within 24 hours. PeckShield confirmed the exploiter accepted the deal, returning 4,052 ETH (~$8.5 million) to the project while retaining 1,350 ETH as an accepted bounty. This recovered approximately 75% of the stolen funds, though the $2.8 million bounty remains one of the largest payouts to a greyhat attacker in 2026. This incident reinforces that bridge infrastructure remains the most exploited attack surface in DeFi. Users should verify that any cross-chain bridge they use has undergone recent audits specifically covering input-output validation logic. Before bridging significant amounts, check whether the bridge contract has been verified on block explorers, review audit reports for the specific validation checks implemented, and consider using bridges that implement time-locks or multi-signature withdrawal mechanisms. The fact that a 0.02 VRSC transaction could trigger an $11.58M payout highlights how a single missing check can compromise an entire protocol.