Attacker exploited a logic gap in Verus bridge's cross-chain value validation, submitting a hand-crafted CReserveTransferImport payload with a fabricated Merkle proof that the bridge accepted, releasing 1,625 ETH, 103.57 tBTC, and 147,659 USDC from reserves.
On May 18, 2026, an attacker exploited a logic gap in the Verus bridge's cross-chain value validation. The attacker submitted a hand-crafted CReserveTransferImport payload with a fabricated Merkle proof that the bridge accepted, releasing 1,625 ETH, 103.57 tBTC, and 147,659 USDC from reserves. No keys or notary signatures were compromised — this was a pure economic-value binding gap (the same class of bug as Wormhole/Nomad in 2022). The attacker swapped all assets to ETH via a DEX aggregator, netting approximately 5,402 ETH (~$11.4M).
All released assets swapped to ETH via a DEX aggregator, netting ~5,402 ETH (~$11.4M). No recovery reported at time of writing.
N/A