Verus-Ethereum Bridge Exploited For $11.6M Via Validation Flaw

On May 18, 2026, an attacker exploited a critical validation flaw in the Verus-Ethereum bridge to drain approximately $11.58 million in crypto assets. Security firm Blockaid first detected suspicious activity around 00:54 GMT involving the bridge contract. The attacker's wallet (0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 on Ethereum) had been funded via Tornado Cash approximately 14 hours before the exploit, indicating premeditated planning. The stolen assets — 1,625 ETH, 103.6 tBTC, and 147,000 USDC — were swapped into 5,402.4 ETH and consolidated into a single trackable address. The root cause was an architectural failure in the bridge's cross-chain validation logic. The attacker created a transfer blob containing only approximately 0.02 VRSC (worth roughly $0.01) in inputs on the Verus side, but included instructions to release $11.58 million in outputs on the Ethereum side. When submitted to the bridge's submitImports() function, the system verified the cryptographic signatures and blob authenticity but critically skipped amount reconciliation. The checkCCEValues function — responsible for validating cross-chain export values — was missing the crucial step of verifying that source-chain input amounts matched destination-chain output amounts. As Halborn's analysis noted, "the smart contract code on both sides of the cross-chain bridge did exactly what it was supposed to do" — the failure was architectural, not cryptographic. This vulnerability belongs to the same class of missing input validation bugs that plagued earlier bridge exploits including Wormhole ($320M, February 2022) and Nomad ($190M, August 2022). Despite these high-profile precedents, the Verus bridge launched without this fundamental check. Security firms Blockaid and PeckShield independently confirmed the exploit mechanics. The drainer wallet (0x65Cb...C25F9) held the consolidated ETH proceeds as the attack was flagged as ongoing at the time of initial reporting. In a notable development, the Verus team negotiated with the attacker and reached a bounty agreement on May 22. The exploiter returned 4,052.4 ETH (approximately $8.5 million) to a Verus-controlled wallet (0xF9AB...C1A74), retaining 1,350 ETH (approximately $2.8 million) as an agreed-upon bounty. PeckShield confirmed the fund recovery on social media. The Verus team stated they would "halt all investigations if the attacker followed the agreement," framing the outcome as a structured recovery rather than pursuing legal prosecution. Cross-chain bridge users should treat bridge interactions as inherently higher-risk operations and limit exposure accordingly. Before using any bridge, verify that it has undergone recent audits that specifically test input-output amount reconciliation across chains. The Verus incident demonstrates that even bridges with correct cryptographic implementations can fail catastrophically if basic accounting checks are absent. Users should also monitor bridge TVL relative to its audit history — a bridge holding significant value with limited security review represents elevated risk.