On the night of 17–18 May 2026, a threat actor exploited a missing source-amount validation in the Verus–Ethereum Bridge smart contract, draining $11.58 million in bridge reserves. By forging a cross-chain import payload that passed every cryptographic check while committing zero value on the source chain, the attacker turned approximately $10 in VRSC fees into an $11.58M payout — a return of over 1,000,000×.
— PHASE 1 — THE SECURITY INCIDENT
The Verus–Ethereum Bridge enables users to move assets between the Verus blockchain and Ethereum. Like all cross-chain bridges, it relies on a validation chain: the source chain commits to a transfer, notaries attest to that commitment, and the destination chain pays out based on the attested data.
The flaw was not in the cryptography. The bridge correctly verified notary signatures, Merkle proofs, and hash bindings. What it never verified was that the source-chain export's economic totals — the actual value committed by the sender — matched the payout being claimed on Ethereum.
ROOT CAUSE
A missing source-amount validation in the bridge's checkCCEValues function. The fix is approximately 10 lines of Solidity. This is not an ECDSA bypass, a notary key compromise, or a parser bug — it is a structural economic validation gap.
Step 1 - Fake a Verus transaction. The attacker sent a cheap Verus transaction (~$10) that claimed to authorize a large payout, but committed no real value. The network accepted it as valid.
Step 2 - Claim the payout on Ethereum. The attacker presented that claim to the Ethereum bridge. The bridge checked the cryptography, saw it matched, and paid out.
Step 3 - Drain and convert. The bridge paid out 1,625 ETH, 103 tBTC, and 147,000 USDC to the attacker's drainer wallet. All assets were immediately swapped via DeFi into ETH and consolidated.
— PHASE 2 — THE MONEY TRAIL
Merkle Science's Tracker captured the complete fund movement — from the attacker's initial Tornado Cash funding through the exploit transaction to final consolidation of 5,402 ETH in a single drainer address — all within approximately 24 hours.
The tBTC and USDC proceeds were immediately swapped into native ETH via DeFi protocols, bypassing any KYC requirements during the critical conversion phase. USDC and tBTC are assets where issuers or custodians can blacklist addresses and freeze funds. By converting to native ETH within hours of the drain, the attacker moved the proceeds into a decentralized, censorship-resistant state. The speed of conversion suggests deliberate awareness of the stablecoin freeze window — a pattern also observed in the TrustedVolumes exploit in May 2026.
— PHASE 3 — INCIDENT TIMELINE
— INDUSTRY CONTEXT
Independent security analysts place this incident in the same exploit family as Wormhole (2022) and Nomad (2022). Bridge architectures that release tokens on one chain based on attested deposits on another require every link in the validation chain to enforce identical economic guarantees. A gap at any single layer collapses the entire trust model — regardless of how robust the cryptographic layer is.
Cryptographic validity does not equal functional security. A bridge can be cryptographically correct and economically exploitable at the same time. Every validation layer must independently enforce the invariant that source value ≥ destination payout. A missing check anywhere in that chain is sufficient to drain the entire reserve.
— PHASE 4 — COMPLIANCE & RECOMMENDATIONS
With $11.4M consolidated in a single wallet within 24 hours of the drain, the window for coordinated recovery action is narrow. The following steps are recommended in priority order.
Submit freezing requests to major centralized exchanges, stablecoin issuers, and key liquidity venues referencing drainer wallet 0x65Cb8b12…c25f9. Single-wallet consolidation maximizes freeze effectiveness before onward splits occur.
Every movement from 0x65c…c25f9 creates new forensic surfaces. Configure real-time alerts for outbound transfers — each hop narrows deanonymization opportunities despite the Tornado Cash upstream obfuscation.
Users should avoid all bridge interactions until the Verus team confirms the checkCCEValues patch is deployed, audited, and formally restores bridge operations via an official post-mortem.
Independent analysts identify the root cause as the missing checkCCEValues check (~10 lines of Solidity), but the Verus team has not yet published a confirmed post-mortem. Do not finalize compliance exposure assessments until official confirmation.
This incident belongs to the Wormhole/Nomad TTP class. Bridges that only verify cryptographic proofs without enforcing source-destination value equivalence carry structural risk. Review all bridge-related holdings for checkCCEValues-class validation coverage.
Merkle Science can help compliance teams screen for direct and indirect exposure to the Verus Bridge exploit path, monitor drainer wallet movements in real time, and coordinate with exchanges on freeze requests. Get in touch to find out how we can help.
