The Crypto Bridge Verus Protocol quietly drained of $11.6 million
On Monday, the crypto bridge named Verus Protocol’s Ethereum bridge became the latest victim in what is turning into one of crypto’s most brutal stretches of security failures. A hacker walked away with at least $11.58 million in cryptocurrency — not through some sophisticated cryptographic breach or a brute-force attack, but through something far more embarrassing: a forged message that the bridge simply believed without question.
Onchain security platform Blockaid was the one to catch it first, flagging an ongoing exploit on the Verus-Ethereum bridge via a post on X. The transaction they pointed to on Etherscan told the full story — 1,625 Ether, 147,659 USDC, and 103.57 tBTC v2, all gone, totalling more than $11.5 million drained in one coordinated sweep. Blockchain security firm PeckShield independently confirmed it was an exploit. By the time anyone was paying close enough attention, the stolen funds had already been converted into Ether. The attacker’s wallet showed a balance of 5,402 ETH, worth over $11.4 million, sitting there in plain sight on Etherscan.
Verus had not publicly confirmed the exploit at the time of publication. Cointelegraph reached out for comment and received no response.
Source: Blockaid
The method behind the attack is what makes this one sting. Blockaid explained that the attacker deceived the Verus Ethereum bridge into believing that fraudulent transfer instructions were legitimate, causing the protocol to send funds directly from its own reserves into the attacker’s wallet. It was not an ECDSA bypass. It was not a notary key compromise. It was not a parser or hash-binding bug. According to Blockaid, it came down to a missing source-amount validation in a function called checkCCEValues — a flaw that reportedly takes around ten lines of Solidity code to fix.
ExVul, another blockchain security provider, reached the same conclusion through its own investigation. The firm said the attacker constructed a forged cross-chain import payload that sailed through the bridge’s verification flow unchallenged, resulting in three separate attacker-attached transfers going straight to the drainer wallet. ExVul put it plainly in its assessment: cross-chain import proofs must bind every downstream transfer effect to authenticated payload data before execution. Bridges need strict payload-to-execution validation, layered defences around proof verification, and the ability to pause outbound flows the moment anomalous imports are detected. None of that was in place here.
Blockaid drew direct comparisons to two of the most damaging bridge hacks in crypto history — the $190 million Nomad Bridge exploit and the $325 million Wormhole exploit, both from 2022. That comparison carries weight. Three years have passed since those incidents shook the industry. Three years of lessons documented, post-mortems written, and best practices circulated. And still, a bridge in 2026 fell to the same category of vulnerability.
The Verus incident does not exist in isolation. It landed just two days after THORChain confirmed on Saturday that it had suffered a $10 million exploit of its own. Before that, April had already produced two of the biggest hacks of the year: a $280 million Drift Protocol exploit and a $292 million Kelp exploit. In the first quarter of 2026 alone, crypto hackers had already stolen more than $168.6 million from 34 decentralised finance protocols.
The numbers at this point are not just alarming. They are a pattern that refuses to stop repeating itself, and each incident makes the same argument louder than the last: bridges remain one of the most dangerous pieces of infrastructure in all of decentralised finance, and the industry has still not found a way to build them as securely as the money flowing through them demands.
If you’re reading this, you’re already ahead. Stay there, by joining the…
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
