The Verus–Ethereum bridge suffered an exploit that drained approximately $11.58 million in tBTC, ETH and USDC. The breach exposed a critical failure in cross-chain validation, where cryptographically valid proofs were accepted even though the requested payouts lacked economic backing on the source chain.
The attack shows why bridge security cannot rely only on signature validity or proof verification. In this case, the destination contract accepted a signed state root, but failed to confirm that source-chain export totals matched the assets being released on Ethereum.
🚨 Community alert:
Blockaid's exploit detection system has identified an on-going exploit on the @veruscoin Verus-Ethereum Bridge (https://t.co/HEwYZqFEfC).
~$11.58M drained so far.More details in🧵
— Blockaid (@blockaid_) May 18, 2026
Valid Proofs Enabled Unsupported Payouts
Attackers used a low-cost transaction on the Verus chain, paying roughly $10 in VRSC fees, to create a payout blob with empty source-side totals. The Verus protocol treated the transaction as valid, and eight of fifteen notaries signed the resulting state root.
We have seen a suspicious transaction that drained ~$11.4M (1625.36 ETH + 103.56 tBTC + 147.65K USDC) assets from the @VerusCoin Verus-Ethereum bridge contract at 0x71518580f36feceffe0721f06ba4703218cd7f63.
Stay Vigilant!https://t.co/W0TNRkS315 pic.twitter.com/xT5LKbk0mQ
— CertiK Alert (@CertiKAlert) May 18, 2026
The attacker then submitted the signed proof to the Ethereum bridge contract through submitImports(). The contract performed its cryptographic checks correctly, but did not enforce the economic binding between exported value and requested payout value.
Security analysts pointed to the checkCCEValues logic as the key missing control. A minimal Solidity-level check ensuring that source-chain export totals matched destination-chain import requests would have blocked the exploit before funds were released.
The assets drained included 103.6 tBTC worth about $7.7 million, 1,625 ETH worth about $3.5 million and 147,000 USDC. The attacker quickly consolidated the proceeds into roughly 5,402.4 ETH, worth about $11.4 million, in a single wallet.
PeckShield and other on-chain analysts traced the movement, and the attacker’s wallet had been funded through a mixing service about 14 hours before the exploit. That funding path added a familiar laundering and attribution challenge for investigators following the stolen assets.
Economic Validity Becomes the Core Bridge Requirement
The exploit reinforces a recurring lesson in bridge failures: cryptographic validity does not equal economic validity. A proof can be mathematically acceptable while still authorizing an economically unsupported transfer if the contract does not verify source-side value.
The pattern resembles earlier bridge failures such as Wormhole and Nomad, where source-to-destination binding weaknesses contributed to major losses. These incidents show cross-chain systems remain concentrated points of systemic risk across DeFi infrastructure.
Liquidity routed through bridges carries a persistent risk premium, especially when validation depends on notary signatures or proof systems that do not independently verify economic totals.
Protocol developers need explicit on-chain checks that correlate exported amounts on the source chain with import requests on the destination chain. Without that control, attackers can exploit legitimate-looking proofs to trigger unsupported payouts.
The Verus–Ethereum breach adds to the broader rise in DeFi incidents in early 2026 and will likely intensify scrutiny of bridge architecture. For custodians, liquidity providers and risk managers, cross-chain due diligence now requires reviewing both cryptographic verification and economic reconciliation logic.
