Points of Focus

• Attackers exploited a forged cross chain message after the Verus-Ethereum bridge failed to verify message authenticity.
• The Verus attack pushed May 2026 DeFi losses above $31 million, following major bridge related exploits.
• The Verus exploit exposed how bridges holding admin level token control can collapse from a single trusted input failure. 

Sometime late Sunday, a single wallet funded with one ether via Tornado Cash became the entry point for the most precise DeFi bridge attack of May 2026. Blockchain security platform Blockaid raised the alarm first, flagging the suspicious activity on X at roughly 11 p.m. UTC on May 18. 

🚨 Community alert:
Blockaid's exploit detection system has identified an on-going exploit on the @veruscoin Verus-Ethereum Bridge (https://t.co/HEwYZqFEfC).
~$11.58M drained so far.

More details in🧵

— Blockaid (@blockaid_) May 18, 2026

By the time PeckShield and ExVul had corroborated the findings, $11.58 million had already left the Verus-Ethereum bridge and was sitting, fully consolidated, in an address that on-chain trackers were already watching. 

A missing validation check turned a probe transaction into a full reserve drain

Blockchain security firms Blockaid, PeckShield, and ExVul linked the exploit to missing validation checks inside the bridge verification process. GoPlus Security’s post-incident assessment identified the attack as a two-step manoeuvre: a low-value transaction probed the contract first, followed by a function call that enabled batch transfer of reserve assets to the attacker’s wallet. 

Hi @veruscoin It seems abnormal assets outflow (~$11.4m) from Verus-Ethereum Bridge: https://t.co/2Ol7cngtjY

The funds are currently parked in the following address: https://t.co/YaMyk4ffZH pic.twitter.com/UMhgLOtjSm

— PeckShield Inc. (@peckshield) May 18, 2026

The critical failure was the bridge’s acceptance of a forged cross-chain message without verifying its authenticity. The Verus-Ethereum bridge was designed to allow asset movement between the Verus network and Ethereum using a hybrid proof-of-work and proof-of-stake consensus model on the Verus side, with the Ethereum contract handling verification independently. That verification step was where the attacker found their gap.

The pattern is not novel. On April 13, an attacker exploited Hyperbridge’s Ethereum gateway contract using a forged cross-chain message, minting 1 billion bridged Polkadot tokens via the same dispatchIncoming pathway. The Hyperbridge attacker walked away with only $237,000 because shallow liquidity in the Ethereum DOT pool limited slippage capacity. The Verus bridge held tBTC, ETH, and USDC, assets with deep liquidity pools and no such natural ceiling. The attacker cleared the full balance.

April set the benchmark at $606M while May already tops $31M

April 2026 set the year’s benchmark, with protocols losing more than $606 million across 12 incidents. KelpDAO‘s $292 million bridge drain was the single largest hack of 2026. Drift Protocol lost $280 million on Solana in the same month. 

The Verus attack arrived three days after THORChain halted trading following a separate $10 million vault breach, making it the second bridge-category exploit in less than 72 hours. DeFiLlama data shows 10+ DeFi protocols were hit in May before Verus, with collective losses already above $15 million before Sunday’s attack. The running May total now sits above $31 million.  

Bridges hold admin-level control over token contracts

Bridges remain the weakest link in cross-chain architecture because they hold admin-level control over token contracts on destination chains, meaning a single validation failure can grant an attacker the ability to drain or mint unlimited supply. For instance, Ronin lost $625 million in 2022, Nomad lost $190 million and Wormhole lost $320 million. Each attack followed a different technical path but the same structural logic: the bridge trusted input it should not have trusted.

The Verus bridge had none of the accidental circuit breakers that limited damage in the Hyperbridge case. tBTC, ETH, and USDC are the three most liquid bridge assets in DeFi. The attacker did not need to hunt for buyers or absorb slippage. They swapped three separate assets into a single holding in what PeckShield’s on-chain data shows as a clean, rapid execution with no visible friction. The 5,402 ETH now sitting at the attacker’s consolidation address has not moved since Sunday night. On-chain trackers are watching it. The funds are almost certainly gone.

The Verus team’s silence as of publication is itself a data point. The bridge launched in October 2023 and ran for 31 months before this attack. Whether the team can reconstruct the verification logic, establish whether other assets remain at risk, and communicate a recovery timeline will determine whether the protocol survives the breach. Two prior 2026 protocols that lost comparable sums, in the $10 million to $15 million range, both attempted recovery bounties. Neither recovered more than 8% of stolen funds.