Verus-Ethereum Bridge Hack 2026 — $12M Exploit Analysis

Attacker exploited a logic gap in Verus bridge's cross-chain value validation, submitting a hand-crafted CReserveTransferImport payload with a fabricated Merkle proof that the bridge accepted, releasing 1,625 ETH, 103.57 tBTC, and 147,659 USDC from reserves.

Details

Full Description

On May 18, 2026, an attacker exploited a logic gap in the Verus bridge's cross-chain value validation. The attacker submitted a hand-crafted CReserveTransferImport payload with a fabricated Merkle proof that the bridge accepted, releasing 1,625 ETH, 103.57 tBTC, and 147,659 USDC from reserves. No keys or notary signatures were compromised — this was a pure economic-value binding gap (the same class of bug as Wormhole/Nomad in 2022). The attacker swapped all assets to ETH via a DEX aggregator, netting approximately 5,402 ETH (~$11.4M).

Laundering Analysis

All released assets swapped to ETH via a DEX aggregator, netting ~5,402 ETH (~$11.4M). No recovery reported at time of writing.

Sources

Transaction Hashes

Related Hacks

Back to Browse