Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap

Web3 security platform Blockaid reported that its exploit detection system had identified an ongoing attack targeting the cross-chain Ethereum bridge operated by Verus, with approximately $11.58 million in assets drained so far.

According to the analysis, the suspected root cause resembles vulnerabilities previously seen in the 2022 exploits involving Wormhole bridge exploit and Nomad bridge exploit, where a gap existed between source-chain value commitments and destination-chain payouts. 

Investigators stated that the bridge successfully verified several cryptographic components, including the notarized Verus state root, valid notary signatures, Merkle proofs for cross-chain exports, and hash bindings tied to serialized transfers. However, the system allegedly failed to confirm whether the export on the source chain contained sufficient amounts, fees, or burned assets to support the payouts executed on Ethereum.

Researchers said the attacker created a low-value transaction of roughly 0.02 VRSC containing a Verus Cross-Chain Export that committed to a payout hash while leaving the associated source-side totals effectively empty. The protocol reportedly accepted the transaction as valid, and notaries subsequently signed the resulting state root. The attacker then called the submitImports() function on Ethereum using a serialized transfer payload whose hash matched the committed value. After verification, the bridge released reserve assets amounting to 1,625 ETH, 103 tBTC, and approximately 147,000 USDC. The estimated execution cost was reported to be around $10 in VRSC transaction fees, while the proceeds totaled about $11.58 million.

Blockaid emphasized that the incident was not linked to an ECDSA bypass, compromised notary keys, or a parsing or hash-binding flaw. Instead, the company attributed the exploit to missing source-amount validation logic within the checkCCEValues process, describing the issue as potentially fixable with a relatively small Solidity code update.

Security firm GoPlus stated that the attacker drained a significant amount of reserve assets from the Ethereum side of the bridge in a single transaction. Analysts noted that the exploit followed a familiar pattern seen in multiple bridge-related incidents during 2026, after previous attacks affecting projects such as Kelp DAO and Hyperbridge reportedly contributed to cumulative losses worth hundreds of millions of dollars across the sector.

According to GoPlus, the attacker’s wallet currently holds around 5,402 ETH. The funds have reportedly not yet undergone laundering, bridging, or broad distribution, leaving open the possibility of tracing or recovery efforts. Investigators added that the exploit was triggered after the attacker submitted a low-value transaction invoking a specific contract function identified as 0x8c49b257, after which the bridge contract transferred reserve assets directly to the attacker-controlled wallet. The findings suggest a potential flaw involving cross-chain message verification, withdrawal validation, or access control mechanisms.

Blockchain security firm PeckShield later reported that the attacker’s address had initially been funded with 1 ETH through Tornado Cash approximately 14 hours before the exploit took place.

As of now, Verus has not publicly commented on the incident or issued an official warning to users regarding the exploit.

Verus Breach Adds To Rising DeFi Security Losses

Verus is a privacy-focused blockchain network launched in 2018 that operates using a hybrid proof-of-power consensus model combining proof-of-work and proof-of-stake mechanisms. In October 2023, the project introduced the Verus-Ethereum bridge, designed to allow users to transfer and convert assets between the Verus ecosystem and the Ethereum network.

The exploit targeting the Verus bridge comes amid a broader rise in attacks against cross-chain infrastructure. Blockchain security firm PeckShield reported that at least eight major bridge-related security breaches were recorded between February and mid-May 2026, resulting in combined losses estimated at approximately $328.6 million. The figures highlight the continued exposure of cross-chain protocols, which remain among the most frequently targeted sectors within decentralized finance.

The Verus incident followed several other notable bridge-related exploits reported in recent days. On May 15, THORChain temporarily suspended trading activity after a multichain exploit impacted networks including Bitcoin, Ethereum, BNB Chain, and Base. Initial estimates placed the losses at slightly above $10 million, while investigators continued monitoring addresses linked to the stolen funds.

A separate incident was disclosed by TAC on May 14, when the TON segment of its cross-chain infrastructure was reportedly compromised. The project stated that around $2.8 million in USDT, BLUM, and tsTON assets had been drained. TAC added that TON-native assets, TAC assets, and ERC-20 tokens bridged from Ethereum were not affected by the breach. The protocol later paused bridge operations while security teams conducted forensic investigations into the attack.

The post Verus Ethereum Bridge Exploited For $11.58M, Researchers Trace Flaw To Cross-Chain Validation Gap appeared first on Metaverse Post.