Verus Bridge Exploited for $11.6M via Fake Transfer
Verus Protocolâs Ethereum bridge was exploited Monday for $11.58 million after an attacker used a fake cross-chain transfer message. Blockaid and PeckShield confirmed the hack, with funds now converted to ETH. The flaw mirrors Wormhole and Nomad exploits, highlighting persistent bridge risks.
Quick Take
Verus Ethereum bridge lost $11.58M to exploit via fake cross-chain message.
Attacker drained 1,625 ETH, 147K USDC, and 103 tBTC v2.
Vulnerability stemmed from missing source-amount validation in smart contract.
Experts urge stricter payload validation to prevent similar bridge attacks.
Market Impact Analysis
BearishExploits in DeFi bridges erode trust in cross-chain infrastructure and may cause short-term bearish sentiment, especially for affected assets like ETH.
Speculation Analysis
Key Takeaways
- Verus Ethereum bridge lost $11.58M after a forged cross-chain transfer message drained assets.
- Missing source-amount validation in the smart contractânot a key compromiseâallowed the exploit.
- 1,625 ETH, 147K USDC, and 103 tBTC v2 were taken, then converted to ETH in attackerâs wallet.
- The incident mirrors Nomad and Wormhole exploits, underscoring persistent bridge security gaps.
What Happened
Verus Protocolâs Ethereum bridge was exploited Monday when an attacker tricked the network into releasing $11.58 million in cryptocurrency. Security firms Blockaid and PeckShield confirmed the breach, tracing it to a fake cross-chain transfer message that bypassed verification. The attacker drained 1,625 ETH, 147,659 USDC, and 103.57 tBTC v2 directly from bridge reserves. Within hours, all stolen tokens were converted to ETH and consolidated into a single wallet. Verus has yet to issue a public statement on the incident.
The Numbers
The $11.58 million loss adds to a growing tally of bridge vulnerabilities. The attackerâs wallet now holds 5,402 ETHâworth over $11.4 millionâafter swapping the looted USDC and tBTC. Three separate transfers executed the drain, each tied to the forged payload. This theft follows a Q1 2026 trend where DeFi protocols lost over $168.6 million, and April saw even larger nine-figure exploits, amplifying concern over cross-chain security.
Why It Happened
The exploit stemmed from a missing source-amount validation in the bridgeâs smart contract. This flaw let a forged cross-chain import payload pass through the verification flow, authorizing unauthorized transfers. Unlike private key compromises, it was a pure logic errorâBlockaid noted it required â~10 lines of Solidity to fix.â The absence of strict payload-to-execution binding meant transfer instructions werenât adequately checked against authenticated data, mirroring the root causes of the Nomad and Wormhole hacks.
Broader Impact
This incident reignites fears about cross-chain infrastructure. Despite years of similar breaches, bridges remain prime targets, and smaller protocols often lack robust defenses. The Verus hack could spur stricter audits and real-time monitoring demands, but may also erode trust in newer bridges. For the industry, itâs another costly lesson in the need for defense-in-depth around proof verification.
What to Watch Next
- Verusâs official response, including user compensation plans and a post-mortem.
- Whether other bridges proactively patch source-amount validation gaps in their contracts.
- Potential regulatory or industry frameworks for cross-chain security after repeated nine-figure losses.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
