$11.6M stolen from Verus Ethereum bridge in fresh DeFi security breach
Security firms have identified the wallet containing the allegedly stolen assets, revealing that the digital currencies have been swapped for 5,402 Ether.
On Monday, the Verus Protocol's Ethereum bridge allegedly fell victim to an exploit involving a counterfeit cross-chain transfer message, enabling an attacker to illicitly withdraw a minimum of $11.58 million worth of digital assets.
In an X post published Monday, onchain security platform Blockaid reported that its monitoring system detected an active exploit targeting the Verus-Ethereum bridge. The company shared an Etherscan transaction link displaying the withdrawal of 1,625 Ether (ETH), 147,659 USDC (USDC) and 103.57 tBTC v2, totaling more than $11.5 million in value.
Blockchain security firm PeckShield similarly characterized the transaction as an exploit. According to onchain records, the stolen assets have subsequently been exchanged for Ether. Etherscan data reveals the wallet currently holds a balance of 5,402 Ether, valued at approximately $11.4 million.
Verus was contacted by Cointelegraph for a statement. As of press time, the protocol had not issued a public acknowledgment of the exploit.
Throughout the first quarter of 2026, cryptocurrency hackers successfully extracted over $168.6 million in digital assets from 34 decentralized finance protocols. The month of April witnessed the year's two most substantial hacks to date: Drift Protocol suffered a $280 million exploit early in the month, followed by the $292 million Kelp exploit.
Fraudulent transfer instructions likely caused exploit
According to Blockaid, the Verus Protocol incident bears similarities to the $190 million Nomad Bridge exploit as well as the $325 million Wormhole exploit that occurred in 2022.
The malicious actor exploited the Verus Ethereum bridge through deception, tricking the protocol into accepting transfer instructions as legitimate, which resulted in the bridge releasing funds from its reserves directly to the attacker's wallet, according to Blockaid's analysis.
"NOT an ECDSA bypass. NOT a notary key compromise. NOT a parser/hash-binding bug. IS a missing source-amount validation in checkCCEValues - ~10 lines of Solidity to fix," it added.
Blockchain security provider ExVul arrived at a comparable conclusion, stating that the attacker employed a "forged cross-chain import payload" that successfully passed the "bridge's verification flow" and led to "three attacker-attached transfers to the drainer wallet."
"Cross-chain import proofs must bind every downstream transfer effect to authenticated payload data before execution," the blockchain security provider said, adding that "Bridges should add strict payload-to-execution validation, defense in depth around proof verification and pause outbound flows when anomalous imports are detected."
This security breach comes after THORChain verified on Saturday that it experienced a $10 million exploit.