Image Credit: Shutterstock
The Verus-Ethereum bridge was exploited for about $11.58 million on May 18, adding another cross-chain incident to a year already marked by major DeFi security failures.
Blockaid said it detected an ongoing exploit on the bridge. Early reports said Verus had not publicly confirmed the incident, though later reporting said the team announced the bridge attack, paused the network and began investigating.
Attacker Swaps Stolen Assets Into 5,402 ETH
The stolen assets included about 1,625 ETH, nearly 147,000 USDC and 103.6 tBTC, according to security researchers cited in market reports. PeckShield later reported that the attacker swapped the stolen tokens into roughly 5,402 ETH, consolidating most of the value into Ether after the exploit.
Security reports also said the wallet used in the exploit had been funded with 1 ETH through Tornado Cash hours earlier. That pattern is often seen when attackers try to obscure the source of operational wallets before launching an attack.
Missing Source-Amount Check Suspected
Early security analysis points to a bridge verification failure rather than a compromise of Ethereum itself. Researchers linked the exploit to a forged cross-chain transfer message and missing validation checks in the bridge verification process.
Blockaid later said the issue was not an ECDSA bypass, not a notary key compromise and not a parser or hash-binding bug. The firm said the flaw was instead tied to missing source-amount validation in a bridge check function. That distinction matters because the exploit appears to have targeted how the bridge verified cross-chain messages, not the underlying Ethereum network.
5,402 ETH Consolidation Adds Bridge Scrutiny
The Verus exploit adds to scrutiny of cross-chain bridges, which remain frequent targets because they control large pools of escrowed assets and rely on complex validation logic across networks. For Verus users, the immediate risk is concentrated around the affected Ethereum bridge, and the network response is now under investigation.
For the wider DeFi market, the incident reinforces a familiar problem. When cross-chain message validation fails, attackers can drain reserve assets quickly and move funds before a full technical postmortem is available.
