Quick Insights

  • An attacker drained approximately $11.58 million from the Verus-Ethereum bridge on Sunday, taking 103.6 tBTC, 1,625 ETH and 147,000 USDC before consolidating into 5,402 ETH.
  • The attack cost the exploiter roughly $10 in VRSC transaction fees, with the attacker's Ethereum wallet seeded with 1 ETH through Tornado Cash 14 hours before the breach.
  • Blockaid traced the exploit to a missing source-amount validation in the bridge's checkCCEValues function. The fix would require approximately ten lines of Solidity code.
  • The Verus drain is the eighth major bridge exploit of 2026, with cumulative bridge losses across the year reaching approximately $328.6 million by PeckShield's count.

The Verus-Ethereum bridge was drained for approximately $11.58 million in the early hours of Sunday, in what security firms are calling a near-perfect replica of the Wormhole and Nomad bridge exploits of 2022. The attacker spent roughly $10 in VRSC network fees to extract a $11.58 million payout from the bridge's Ethereum-side reserves, then swapped the stolen tBTC, ETH and USDC into a single position of 5,402 ETH worth roughly $11.4 million. The funds remain in the attacker's wallet.

A $10 Transaction Triggered an $11.58 Million Drain

The technical breakdown from Blockaid is the clearest account of how the attack actually worked. The Verus-Ethereum bridge correctly verified three things at the time of the exploit: a Verus state root signed by eight of fifteen notaries (cryptographically sound), a Merkle proof of the cross-chain export, and a hash binding confirming transfer data integrity. None of those security checks were bypassed or forged.

What the bridge did not check was whether the export transaction on the Verus side actually had any value attached to it. The attacker built a Verus-side transaction that committed to an $11.58 million payout but locked zero value as collateral on the source chain. Verus notaries cryptographically signed the resulting state root, the attacker submitted the signed proof to the Ethereum bridge contract via submitImports(), and the contract paid out the full amount from its reserves.

The structural pattern is the same as the 2022 Nomad and Wormhole hacks: a source-to-destination economic value binding gap. The bridge verified that the proof was technically valid without verifying that the proof corresponded to actual locked assets on the source chain. Blockaid noted that the fix would require approximately ten lines of Solidity code in the checkCCEValues function. The technical simplicity of the fix is what makes the loss particularly painful.

This Is the Eighth Major Bridge Exploit of 2026

The Verus loss extends a pattern that has dominated DeFi security headlines all year. PeckShield's count puts bridge-related losses for 2026 at approximately $328.6 million across eight major incidents in the first five months alone. Bridges have replaced lending protocols as the most heavily targeted DeFi infrastructure category, primarily because they tend to hold large pools of locked liquidity in a single set of smart contracts that exist outside the regular audit cadence of individual chain ecosystems.

The largest single bridge exploit of 2026 remains the Kelp DAO breach in April, which drained $292 million through what investigators described as a cross-chain message spoofing attack. April set the year's worst month for crypto exploits overall, with more than $625 million stolen across roughly 30 incidents according to CertiK data. The Verus loss sits well within the standard pattern of 2026 bridge attacks: a technically subtle validation gap, immediate consolidation of stolen assets into ETH, and an attacker wallet pre-funded through Tornado Cash to maintain operational anonymity.

The Verus breach also comes three days after THORChain halted trading following a separate $10 million vault exploit. THORChain confirmed user balances were not affected, though the protocol's investigation remains active. DeFiLlama data shows that 12 DeFi protocols were hit in May before the Verus exploit, with combined losses already topping $20 million for the month before adding the Verus figure on top.

The Recovery Window Is Narrow and Fast-Closing

The stolen funds currently sit in a single Ethereum wallet (0x65Cb...25F9), which means there is still a recovery window for Verus and the security firms tracking the exploit. Wallet freeze attempts on exchanges, OFAC-style sanctions on the attacker's address, and direct negotiation with the attacker (Curve and several other 2024 hack victims have successfully negotiated whitehat bounties of 10% to 15%) are all on the table. Once the funds move into Tornado Cash or are converted through cross-chain swaps, recovery becomes near impossible.

Verus had issued an "urgent and mandatory" emergency update for a separate vulnerability just two days before the exploit, which suggests the attacker may have been studying the protocol closely. The team has not yet issued a public statement on whether user funds beyond the bridge reserves are at risk, or whether a compensation plan will be developed for affected users.

The broader takeaway is that bridge security in 2026 remains the unsolved problem at the centre of multi-chain crypto infrastructure. The cryptographic primitives work. The validation logic does not. Until cross-chain bridges adopt source-to-destination value-binding checks as a default rather than an afterthought, the same exploit class that took down Nomad and Wormhole in 2022 will keep producing eight-figure losses.

Disclaimer: Nakamoto Daily provides information for educational and entertainment purposes only. Nothing published here constitutes financial, investment, or trading advice. Readers should conduct their own research and consult a qualified financial adviser before making any investment decisions.