Verus-Ethereum Bridge Drained Of $11.6M Via Validation Flaw

On May 18, 2026, blockchain security firm Blockaid detected an active exploit targeting the Verus-Ethereum cross-chain bridge, ultimately draining approximately $11.58 million in digital assets. The attacker's externally owned account (0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 on Ethereum) had been funded with 1 ETH through Tornado Cash approximately 14 hours before the attack. The exploit drained 1,625 ETH, 103.6 tBTC (Threshold Network's tokenized Bitcoin), and 147,000 USDC from the bridge contract (0x71518580f36feceffe0721f06ba4703218cd7f63 on Ethereum). The stolen assets were subsequently swapped for approximately 5,402.4 ETH and consolidated in the holding wallet 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9. The exploit leveraged a fundamental validation gap in the bridge's cross-chain verification logic. While the bridge correctly verified signatures, state roots, and Merkle proofs, it critically failed to confirm whether the assets being requested on Ethereum were actually backed by equivalent value on the Verus side. The attacker created a low-value transaction of roughly 0.02 VRSC containing a Verus Cross-Chain Export that committed to a payout hash while leaving the associated source-side totals effectively empty. The function call 0x8c49b257 triggered the bridge's reserve asset transfer, releasing millions in assets for approximately $10 in Verus transaction fees. According to Halborn's post-mortem analysis, the flaw was in the checkCCEValues validation process, which failed to match input amounts against output amounts. The vulnerability bore striking resemblance to exploits previously seen in the 2022 Wormhole and Nomad bridge hacks, both of which involved mismatched validation between source and destination chains. This places it within a well-documented class of cross-chain infrastructure vulnerabilities that continue to produce some of the largest individual losses in DeFi. At least eight major bridge-related security breaches were recorded between February and mid-May 2026, with combined losses estimated at approximately $328.6 million. In a notable resolution, the Verus development team offered a whitehat bounty deal to the exploiter. The terms specified that if the attacker returned 4,052.4 ETH within 24 hours, the remaining funds would be recognized as a legitimate bounty, and the team would halt all investigation and legal pursuit. The exploiter accepted, returning 4,052 ETH (approximately $8.5 million) to a designated Verus team wallet while retaining 1,350 ETH (~$2.8 million) as the bounty reward. Cross-chain bridges remain among the highest-risk components in DeFi infrastructure. Users should minimize the amount of assets held in bridge contracts and prefer bridges that have undergone multiple independent security audits specifically covering cross-chain validation logic. The Verus exploit demonstrates that even when cryptographic verification (signatures, Merkle proofs) functions correctly, a missing business-logic check — in this case, simple amount matching — can render all other protections meaningless. Bridge users should monitor security dashboards such as Blockaid and PeckShield for real-time exploit alerts and consider distributing cross-chain holdings across multiple bridge solutions to limit single-point exposure.