Verus Protocol’s Ethereum bridge was compromised Monday through forged cross-chain transfer instructions, resulting in the theft of at least $11.58 million in cryptocurrency. Security firms Blockaid and PeckShield identified the exploit and traced stolen funds converted to 5,402 Ether, valued at approximately $11.4 million. The attack marks the latest significant breach in a year marked by systematic bridge vulnerabilities across DeFi protocols.
Missing Validation Enabled Fraudulent Transfers
The exploit centered on a critical gap in Verus Protocol’s cross-chain verification logic. Blockaid determined the vulnerability was not an ECDSA bypass, notary key compromise, or parser bug, but rather a missing source-amount validation in the bridge’s checkCCEValues function. The security firm stated the fix required approximately 10 lines of Solidity code. The bridge was deceived into treating fraudulent transfer instructions as legitimate, causing it to send funds from its reserves to the attacker’s wallet. The initial transfer moved 1,625 ETH, 147,659 USDC, and 103.57 tBTC v2, totaling $11.5 million. ExVul, a blockchain security provider, emphasized that cross-chain import proofs must bind every downstream transfer effect to authenticated payload data before execution to prevent similar attacks.
Bridge Exploits Accelerate Across DeFi Ecosystem
The Verus breach compounds ongoing losses from bridge vulnerabilities. Two days prior on Saturday, May 16, THORChain confirmed a separate $10 million exploit. Throughout Q1 2026, attackers stole $168.6 million across 34 DeFi protocols, with April alone seeing major breaches: Drift Protocol lost $280 million and Kelp suffered a $292 million exploit. The pattern reflects structural weaknesses in cross-chain architecture that persist despite high-profile 2022 incidents including Nomad Bridge’s $190 million loss and Wormhole’s $325 million theft. Blockaid and PeckShield’s rapid identification demonstrates improved detection capabilities, yet the underlying vulnerability classes continue to evade prevention.
Structural Defenses Remain Incomplete
ExVul’s analysis points to systemic gaps in bridge security design. The firm recommended that bridges implement strict payload-to-execution validation, deploy defense-in-depth around proof verification, and pause outbound flows when anomalous imports are detected. Current implementations often lack these safeguards despite being technically straightforward to implement. The Verus exploit illustrates how minor validation oversights can cascade into eight-figure losses. Bridges remain critical infrastructure for multi-chain DeFi, yet standardized security frameworks have not emerged across the sector.
Verus Silent as Stolen Funds Remain Tracked
Verus Protocol had not publicly confirmed the exploit at publication time. Security researchers have traced the converted funds to specific wallet addresses on Etherscan, though the attacker’s identity remains unknown and confirmation of whether funds remain in the identified wallet has not been established. The remediation timeline and scope of the vulnerability across other Verus products remain unclear. The protocol’s response and any recovery efforts will likely determine market confidence in its bridge infrastructure going forward.
