Verus-Ethereum bridge drained for $11.5M in forged proof exploit

On May 18, an attacker drained approximately $11.5 million from the Verus-Ethereum bridge using a forged Merkle proof. This event adds to the growing number of cross-chain bridge exploits that have now reached $328.6 million in 2026 alone.

The Verus-Ethereum bridge is the latest to suffer an exploit in a month that seems to have picked up from where record-making April left off.

How was Verus hacked? 

Blockchain security firm PeckShieldAlert reported that the attacker extracted 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge contract, then swapped the stolen tokens into 5,402.4 ETH worth roughly $11.4 million. 

According to PeckShieldAlert and Blockaid, both of whom independently flagged the exploit, the converted funds reportedly remain in a single wallet at address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.

Blockaid also identified the attacker’s externally owned account and published the exploit transaction hash.

How did the exploit work?

Blockaid shared a thread on X, stating that the attack was of the same vulnerability class behind two of crypto’s most notorious bridge hacks, the $320 million Wormhole breach and the $190 million Nomad drain, both in 2022. 

According to Blockaid, the Verus bridge correctly verified notarized state roots, including cryptographically valid signatures from 8 of 15 notaries. However, the weakness lay in what the bridge failed to check beyond that verification step. 

Cos, who is the founder of blockchain security firm SlowMist and known as @evilcos on X, stated, “The cause of the hack might be that the attacker constructed a forged Merkle proof, which passed the verification of the Verus Ethereum bridge (not open-source), allowing them to smoothly withdraw the funds (ETH/tBTC/USDC).” Cos added that “specific details need further verification.”

Verus ran an emergency patch just two days before hack

According to CoinXtreme, Verus had pushed what it called an “urgent and mandatory” emergency update, version 1.2.14-2, just two days before the exploit occurred. 

The update was described as a fix for a vulnerability; however, it is not yet clear whether the patched issue and the exploited vulnerability are related, as Verus has not publicly commented on the incident as of the time of reporting.

Bridge exploits top $328 million this year

Eight major bridge-related exploits have now occurred this year, with the Verus bridge being the latest, per PeckShieldAlert. The cumulative loss is around $328.6 million. 

This adds to what is now seen as a pattern that has afflicted cross-chain infrastructure since bridges like Wormhole and Nomad suffered major exploits four years ago.

Critics continue to point out that bridges remain high-value targets because they custody large pools of locked assets, and a single verification flaw can unlock the entire pool.

The DeFi space has generally been under attack, with large-scale and small-scale attacks spilling from April into May. Cryptoplitan reported on notable exploits that have occurred in May, including exploits against Ink Finance and Renegade that cost a combined $349,000 and a private key compromise at Syndicate Labs that led to the loss of 18.5 million SYND tokens.

VRSC, the native token of the Verus network, was trading at approximately $0.75 with a market capitalization of over $60 million at the time of the exploit, according to CoinMarketCap data.

If you're reading this, you’re already ahead. Stay there with our newsletter.