Verus Ethereum bridge drained of $11.5M in forged transfer exploit

The Verus Protocol Ethereum bridge has suffered an exploit that has allowed an attacker to siphon off more than $11.5 million in crypto assets through what security researchers described as a forged cross-chain transfer message.

According to onchain security platform Blockaid, the exploit was detected late Sunday after its monitoring systems flagged suspicious activity tied to the Verus-Ethereum bridge. Blockaid identified the attacker wallet as “0x5aBb…D5777” and said the stolen funds were initially moved into another address labeled “0x65C…C25F9.”

Data shared by blockchain security firm PeckShield showed that the drained assets included 103.6 tBTC, 1,625 ETH, and nearly 147,000 USDC. PeckShield later reported that the attacker swapped the stolen tokens into 5,402 ETH, valued at roughly $11.4 million based on current prices.

Hours before the exploit took place, PeckShield said the attacker’s wallet had received 1 ETH through crypto mixer Tornado Cash, a detail that often appears in attacks involving attempts to obscure transaction origins.

Further analysis from GoPlus Security indicated that the attacker first sent a low-value transaction to the bridge contract before invoking a function that caused reserve assets to be batch-transferred to the drainer wallet.

GoPlus said the exploit was “highly likely” tied to either cross-chain message validation failure, withdrawal logic bypass, or an access control weakness inside the bridge mechanism.

Offering a more specific explanation, Blockaid later stated that the incident resembled the 2022 Nomad Bridge exploit and Wormhole exploit attacks, where fraudulent transfer instructions tricked protocols into releasing reserve funds.

In a follow-up technical assessment, Blockaid said the exploit was “not an ECDSA bypass,” “not a notary key compromise,” and “not a parser/hash-binding bug.” Instead, the firm attributed the issue to “a missing source-amount validation in checkCCEValues,” describing it as a flaw that could reportedly be fixed with around 10 lines of Solidity code.

Blockchain security provider ExVul reached a similar conclusion, saying the attacker used a “forged cross-chain import payload” that successfully passed the bridge’s verification process. According to ExVul, the exploit eventually triggered three separate transfers from the bridge reserves into the attacker-controlled wallet.

ExVul added that cross-chain proof systems should directly tie transfer execution to authenticated payload data before funds are released. The firm also recommended stricter payload validation, layered verification protections, and emergency pause mechanisms for unusual outbound transfers.

Bridge exploits continue to hit DeFi sector

Launched in 2023, the Verus-Ethereum bridge allows users to move and convert assets between the Verus network and Ethereum. The protocol itself was introduced in 2018 and operates using a hybrid proof-of-work and proof-of-stake consensus model.

As of publication, the Verus team had not publicly commented on the exploit.

The incident has arrived during a year already hit by multiple major decentralized finance breaches. According to security tracking data cited in the additional reports, crypto hackers stole more than $168.6 million from 34 DeFi protocols during the first quarter of 2026 alone.

April accounted for two of the largest attacks recorded this year, including the reported $280 million Drift Protocol exploit and the $292 million Kelp exploit.

Over the weekend, cross-chain liquidity protocol THORChain also confirmed suffering a separate $10 million exploit, adding to mounting concerns surrounding bridge and interoperability infrastructure across the DeFi sector.