The Verus-Ethereum Bridge lost approximately $11.58 million in a validated exploit flagged on May 17-18, 2026. The attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge's reserves. All stolen assets were immediately swapped for 5,402.4 ETH, worth roughly $11.4 million, and consolidated into a single wallet: 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
The funding trail reveals premeditation. The attacker's initial EOA received 1 ETH routed through Tornado Cash approximately 14 hours before the drain, obscuring the origin of exploit capital before the attack transaction was built.
This exploit joins a string of cross-chain bridge attacks in 2026. The Verus-Ethereum Bridge verified all cryptographic proofs correctly-it notarized Verus state roots and Merkle proofs-but never validated that the source-chain export actually backed the payouts with real value. That economic validation gap, the same class as Wormhole-2022 and Nomad-2022, cost the bridge $11.58 million.
The $10 Attack Vector: How a Minimal Fee Triggered Millions in Losses
The attacker spent roughly about $10 in VRSC fees to trigger withdrawals worth millions from the bridge's reserves. This disproportionate return came from a critical gap: the bridge validated cryptographic proofs but never confirmed that source-chain exports actually backed the payouts with real value.
The attacker constructed a transaction committing to a payout blob with empty source-side totals-zero real value locked-yet Verus protocol accepted it as legitimate. Eight of fifteen notaries cryptographically signed the resulting state root, and the attacker submitted that signed proof to the Ethereum bridge contract via submitImports(). The bridge verified the proof, decoded the blob, and paid out the stolen funds.
Developers are preparing a Solidity patch to close this vulnerability. The fix requires approximately ten lines of code in the checkCCEValues function to validate that source-chain export totals actually back requested payouts. This exploit follows the same pattern as Wormhole-2022 and Nomad-2022-valid cryptographic proofs paired with invalid economics resulting in catastrophic payouts. The critical distinction is that proof correctness guarantees message authenticity but doesn't ensure economic validity; a valid proof doesn't automatically mean a valid transaction.
Bridge Exploits Continue to Dominate 2026 Loss Rankings
The Verus-Ethereum Bridge loss arrives three days after THORChain halted trading, where a breach of one vault reportedly drained over $10 million in protocol-owned funds. May's DeFi hack tally now exceeds $20 million across 12 protocols, following April's $606 million in losses dominated by the Kelp DAO bridge drain at $293 million. This pattern holds: bridge exploits consistently produce the largest individual losses annually, with both Drift and Kelp DAO losses stemming from infrastructure connecting chains or managing cross-protocol messaging. Four additional smaller exploits targeted bridge-related components, confirming attackers prioritize cross-chain infrastructure over smart contracts themselves.
The Verus-Ethereum Bridge loss-while substantial-fits this broader trend of infrastructure targeting. The attacker exploited the same validation gap seen in Wormhole-2022 and Nomad-2022, confirming that cryptographic proof verification alone doesn't guarantee economic validity. This class of vulnerability continues to generate the year's most costly breaches.