Verus-Ethereum Bridge Loses $11.5M as Attacker Swaps All Funds to ETH

Another cross-chain bridge has been drained. The Verus-Ethereum Bridge lost approximately $11.58 million. On May 17-18, 2026, in an exploit first flagged by Blockaid’s real-time detection system and confirmed by PeckShield. The attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge’s reserves. All stolen funds were immediately swapped into 5,402.4 ETH. It is worth roughly $11.4 million and consolidated into a single wallet address. The attacker’s initial funding came from Tornado Cash approximately 14 hours before the drain. Crypto hack news in 2026 keeps returning to the same vulnerability class. And the Verus-Ethereum Bridge exploit is its clearest example yet.

How $10 Became $11.5 Million

The technical root cause is what makes this attack particularly alarming. Blockaid’s analysis confirmed this was not a key compromise. Not a signature bypass. Not a hash collision. The bridge verified everything it was designed to verify. It notarized Verus state roots, Merkle proofs, and hash commitments. It just never checked whether the source-chain transaction actually backed the payouts with real value.

🔎 Verus-Ethereum Bridge $11.58M drain – Suspected root cause

Same class as Wormhole-2022 / Nomad-2022: source ↔ destination economic-value binding gap.

What the bridge correctly verifies:
✓ Notarized Verus state root (8/15 valid notary sigs, all cryptographically sound)
✓…

— Blockaid (@blockaid_) May 18, 2026

The attacker built a transaction spending approximately $10 worth of VRSC fees. That transaction committed to a payout blob with empty source-side totals. With zero real value locked on the Verus-Ethereum Bridge side. Verus protocol accepted the transaction as legitimate. Eight of fifteen notaries cryptographically signed the resulting state root. The attacker then submitted that signed proof to the Ethereum bridge contract via submitImports().

The bridge verified the proof. Decoded the blob and paid out $11.58 million from its reserves. Blockaid described the fix with stark simplicity. Approximately ten lines of Solidity in the checkCCEValues function. That would have prevented the entire attack by validating that source-chain export totals actually backed the requested payouts.

A Familiar Pattern

Ethereum news from the 2022 bridge era is repeating itself. Blockaid directly compared this exploit to the Wormhole and Nomad bridge hacks. Both of which exploited source-destination economic-value binding gaps rather than cryptographic failures. The Verus-Ethereum Bridge exploit follows the same architecture: valid proofs, invalid economics, catastrophic payout. The attacker EOA address 0x5aBb…D5777 initiated the exploit transaction. The drainer wallet 0x65Cb…C25F9 currently holds the consolidated ETH proceeds. Both addresses are publicly trackable on Etherscan.

What This Means for Investors and Developers

For crypto hack news followers and bridge users, the Verus-Ethereum Bridge exploit reinforces a critical lesson. Cryptographic validity and economic validity are not the same thing. A bridge can verify every signature correctly and still pay out funds that were never deposited. For Ethereum developers building cross-chain infrastructure, Blockaid’s root cause analysis is required reading. 

Every bridge implementation needs explicit validation that source-chain locked value matches destination-chain payout amounts, independently of proof verification. This is because proof correctness guarantees the message is authentic, but it does not guarantee the economics are sound. In other words, a valid proof does not automatically mean a valid transaction. Ultimately, that specific security gap just cost the Verus-Ethereum Bridge $11.5 million.