A decentralized finance project called Verus is grappling with a serious security incident involving its cross-chain connection to Ethereum. Blockchain monitoring experts have confirmed that malicious actors have extracted roughly $11.58 million in cryptocurrency assets from the bridge so far, sparking immediate concerns across the industry.
Blockchain security provider Blockaid was the first to publicly flag the active breach through its real-time detection tools.
The blockchain focused firm has pinpointed the responsible external account as 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 and noted that the pilfered assets are currently consolidated in a separate holding address: 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
Detailed transaction records on Ethereum further link the drain to the official bridge smart contract at 0x71518580f36feceffe0721f06ba4703218cd7f63.
Analysts describe the method as a sophisticated validation shortfall rather than a direct compromise of keys or signatures.
The bridge properly checked notarized state roots from Verus, Merkle proofs for cross-chain movements, and a cryptographic hash binding for the transfer data.
However, it overlooked confirming that the original amounts exported on the Verus side actually matched the payouts requested on Ethereum.
Attackers exploited this gap by crafting a low-cost transaction on Verus—costing them only about $10 in fees—that committed to a payout hash while leaving the source totals effectively empty.
Notaries signed off on the resulting state root as usual. When the attacker then submitted the matching serialized data to the Ethereum side, the contract released 1,625 ETH, 103.6 tBTC, and 147,000 USDC from its reserves without detecting the mismatch.
The stolen tokens were swiftly converted into approximately 5,402 ETH, which remains untouched in the drainer wallet as of this writing.
This incident echoes earlier high-profile bridge vulnerabilities seen in projects like Wormhole and Nomad in 2022, where similar discrepancies between source and destination economic proofs allowed unauthorized drains.
Experts emphasize that the flaw was not related to signature forgery, parser errors, or notary compromises but stemmed from an incomplete check in the bridge’s Solidity code—estimated to require only about ten additional lines to fully secure the value-matching logic.
Verus, known for its focus on privacy and advanced blockchain features, introduced the Ethereum bridge in late 2023 to facilitate seamless asset transfers between networks.
The exploit adds to a growing list of cross-chain incidents in 2026, underscoring persistent challenges in bridge security despite years of lessons from prior attacks.
Attacker EOA: 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777
Drainer wallet (still holding the funds): 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9Exploit tx: https://t.co/OqBh2alXGc
Bridge contract: https://t.co/EN3LkDfId9— Blockaid (@blockaid_) May 18, 2026
At present, the Verus development team has not issued an official statement detailing next steps, such as pausing operations or pursuing recovery. The broader DeFi ecosystem is (as always) monitoring ongoing developments.
Users with exposure to the bridge are advised to monitor their positions and avoid further interactions until the situation is resolved.
Security firms continue to track the holding wallet for any movement of funds.
This event now serves as yet another reminder that even well-audited cross-chain infrastructure can harbor subtle logical gaps capable of resulting in multimillion-dollar losses in minutes.
As investigations proceed, the incident highlights the ongoing need for rigorous economic validation in bridge designs. Industry professionals now understandably expect renewed calls for enhanced auditing standards and real-time monitoring to safeguard user funds in an increasingly interconnected blockchain ecosystem.