Verus-Ethereum Bridge Exploit Drains $11.6M in Ongoing Attack

An active exploit is draining the Verus-Ethereum bridge, with attackers having stolen 103.6 tBTC, 1,625 ETH, and 147,000 USDC as of May 18, 2026. Security firm Blockaid identified the attack through its real-time exploit detection system, while auditor Peckshield confirmed the theft amounts. The stolen assets were converted into 5,402 ETH, bringing the total loss to approximately $11.58 million.

The attack exploits a batch transaction vulnerability in the bridge's smart contract logic. The attacker triggered the vulnerability by initiating a low-value transaction that activated a batch processing mechanism, allowing them to drain the bridge's liquidity pools. This technique mirrors previous bridge exploits that have targeted edge cases in cross-chain validation systems rather than direct cryptographic failures.

Bridge security has emerged as a critical weak point in cross-chain infrastructure. The Ronin bridge hack in March 2022 resulted in $625 million in losses, while the Poly Network exploit in August 2021 drained $611 million. The Nomad bridge suffered a $190 million drain in August 2022 after attackers identified similar batch processing vulnerabilities. These incidents reveal a pattern: attackers systematically probe smart contract logic to find overlooked edge cases that bypass validation mechanisms, then execute rapid drains before protocols can respond.

Blockaid's detection system identified the attack in real-time as it unfolded, rather than after the fact. This represents progress in monitoring infrastructure, though real-time detection provides limited practical benefit if the attacker executes the exploit faster than the protocol can halt it or if the bridge lacks emergency pause functionality.

The attack raises immediate questions about the Verus protocol's security audit history and the bridge's validation mechanisms. Cross-chain bridges remain among the highest-risk components in decentralized finance, handling custody of assets across incompatible blockchains. Each bridge introduces its own custom smart contract logic, creating surface area for subtle vulnerabilities. The Verus-Ethereum bridge's batch transaction processing appears to have lacked sufficient safeguards against the exploitation vector the attacker identified.

For users, the incident reinforces a critical lesson: bridge protocols operate at the frontier of blockchain security, where novel attack vectors emerge regularly. While detection systems like Blockaid's have improved, they function as monitors rather than preventative measures. The $11.6 million loss represents real user capital trapped in a bridge that failed to validate transactions correctly, a pattern that has repeated across multiple protocols despite growing awareness of the risks involved.