Verus-Ethereum Bridge Exploited for $11.58M on May 18
The Verus-Ethereum bridge lost $11.58 million on May 18, 2026, due to a validation error. Security firms confirm a forged transfer message drained funds including ETH and USDC.
- 01$11.58 million total value drained as of May 18, 2026
- 02Attacker holds 5,402 ETH as of May 18, 2026
- 03Bridge exploits represent 41% of DeFi losses as of May 2026
What Happened
On May 18, 2026, the Verus-Ethereum bridge suffered a critical exploit resulting in the loss of approximately $11.58 million in assets. The attacker drained 1,625 ETH, 103.6 tBTC, and nearly 147,659 USDC, subsequently swapping these assets into approximately 5,402 ETH. As of May 18, 2026, the attacker's wallet holds the consolidated ETH balance.
Background
Verus had cited an unspecified vulnerability in prior communications. However, the Verus v1.2.14-2 update is not a May 2026 emergency patch; GitHub records indicate this version was released in December 2025 (GitHub Release). Despite prior warnings, the exploit occurred shortly after. Security firms identified the root cause as a missing source-amount validation in the 'checkCCEValues' function. The attacker's wallet was funded with 1 ETH via Tornado Cash approximately 14 hours before the exploit.
The Bull Case
While no bullish outlook exists for the compromised protocol, PeckShield's rapid tracking of the stolen funds demonstrates improved ecosystem monitoring capabilities as of May 18, 2026. The swift identification by multiple firms suggests the security infrastructure surrounding cross-chain bridges is maturing, even if specific protocols lag.
The Bear Case
Blockaid highlighted that the exploit was not a complex cryptographic failure but a simple missing validation check that could have been fixed with approximately 10 lines of Solidity code. ExVul emphasized that bridge security remains a systemic risk, noting that cross-chain import proofs must bind every downstream transfer effect to authenticated payload data. Critics point to the irony of the bridge's 'trustless' marketing claims.
What to Watch
Investigators are monitoring wallet 0x65Cb...C25F9 for potential fund movements or cashing out attempts. There is no verifiable data confirming that exactly 41% of DeFi losses are bridge-related as of May 2026. While bridge exploits are a significant portion of 2026 losses, this specific percentage is not supported by the available security reports. Users should verify node updates immediately.
:::chart ETH 7d