Verus-Ethereum Bridge Hack 2026 — $12M Exploit Analysis

Missing input validation in Verus's bridge verification function allowed a forged cross-chain payload to drain 1,625 ETH, 103.6 tBTC, and 147K USDC ($11.58M), all converted to ~5,402 ETH.

Details

Full Description

On May 18 2026, the Verus-Ethereum Bridge suffered an $11.58M exploit targeting a missing validation check in the bridge's cross-chain verification function. The attack leveraged a forged import payload — the bridge verification function failed to validate that the source-side amount matched the claimed transfer value. The attacker first submitted a low-value transaction to probe the bridge, then triggered a batch transfer of reserves. Stolen assets included 1,625 ETH, 103.6 tBTC, and 147,000 USDC, which were consolidated and converted to approximately 5,402 ETH. The attacker's funding wallet was topped up via Tornado Cash approximately 14 hours before the attack, indicating advance planning. The Verus network was halted during investigation. No recovery has been confirmed.

Laundering Analysis

Stolen assets (1,625 ETH, 103.6 tBTC, 147,000 USDC) were consolidated and converted to approximately 5,402 ETH through on-chain swaps. The attacker pre-staged the operation by funding their initial wallet via Tornado Cash 14 hours before the attack, demonstrating awareness of forensic tracing methods. Post-exploit, funds were dispersed across multiple Ethereum addresses. No mixer activity post-exploit has been confirmed as of reporting date, though the Tornado Cash pre-funding and address dispersion pattern is consistent with state-level or sophisticated criminal actors.

Sources

Related Hacks

Back to Browse