Verus-Ethereum Bridge Hack

On May 18, 2026, the Verus-Ethereum bridge was drained of about $11.58 million in an exploit detected in real time by Blockaid and confirmed by PeckShield. The attacker did not break any cryptographic primitive; instead they exploited a validation gap between source-chain value and destination payout. On the Verus side, notaries correctly verified the structure and authenticity of a transfer blob and signed the resulting state root, even though the blob committed only about $0.01 of real VRSC input. On the Ethereum side, the bridge’s submitImports() function accepted the signed proof but was missing a check, within its checkCCEValues logic, that the input amount matched the payout, so it released roughly 103.6 tBTC, 1,625 ETH, and 147,000 USDC from reserves. The attacker, whose wallet had been seeded with 1 ETH through Tornado Cash about 14 hours earlier and who spent only around $10 in VRSC fees, immediately swapped everything into about 5,402 ETH in a single wallet. Blockaid and Halborn noted the flaw belonged to the same class behind the 2022 Wormhole and Nomad bridge hacks, and that a short value-validation check would have prevented the drain, reinforcing that bridges must bind destination payouts to verified source-chain value, not merely to valid proofs.