Verus Protocol’s Ethereum Bridge Exploited in Over $11 Million Crypto Theft

A vulnerability in Verus Protocol’s Ethereum bridge allowed hackers to steal more than $11 million by forging cross-chain transfer messages, exposing gaps in bridge security.

Editorial Team · May 18, 2026 · 2 min read · Source: cointelegraph.com

Security researchers have identified a substantial exploit targeting Verus Protocol’s Ethereum bridge, resulting in the theft of over $11 million in cryptocurrency. The attacker manipulated the bridge with counterfeit cross-chain transfer instructions that triggered unauthorized transfers from the protocol’s reserves to the hacker’s wallet.

The breach involved fraudulent messages that the bridge mistakenly accepted as valid, enabling the attacker to withdraw 1,625 Ether (ETH), 147,659 USDC stablecoins, and 103.57 tBTC v2 tokens, totaling more than $11.5 million. After the initial transactions, the stolen assets were reportedly converted into Ether within the hacker’s wallet, which now holds a balance exceeding 5,400 ETH, valued at over $11 million according to blockchain explorers.

Blockchain security firms Blockaid and PeckShield both flagged the incident as an exploit rather than a system failure related to signature verification or key compromise. Blockaid explained that the root cause was a missing validation step in the bridge’s Solidity code that failed to verify source amounts during transfer processing. This flaw allowed the attacker to bypass critical checks and issue fraudulent transfer commands.

Security analysts compared this attack to past high-profile bridge exploits such as the Nomad Bridge ($190 million lost) and Wormhole Bridge ($325 million lost) hacks from 2022, which similarly exploited weaknesses in cross-chain message authentication. ExVul, another security provider, noted the attacker used a "forged cross-chain import payload" that passed through the bridge’s verification routine undetected, underscoring shortcomings in input validation and proof verification methods.

Experts recommend that cross-chain bridges implement rigorous payload-to-execution binding to authenticate every transfer effect with verified data before execution. They also advise defense-in-depth strategies including strict proof verifications and emergency mechanisms to pause suspicious outbound flows when abnormal imports are detected.

This latest theft adds to a growing number of decentralized finance (DeFi) vulnerabilities, following a $10 million exploit affecting THORChain shortly before. Crypto bridges continue to serve as critical yet risky components of blockchain interoperability, with millions lost due to similar exploit tactics in the recent past.