Verus Protocol’s Ethereum bridge was reportedly exploited on Monday through a fake cross-chain transfer message that allowed a hacker to fraudulently transfer out at least $11.58 million in cryptocurrency.
Onchain security platform Blockaid said in an X post on Monday that its detection system identified an ongoing exploit on the Verus-Ethereum bridge and shared a transaction on Etherscan showing a transfer of 1,625 Ether (ETH), 147,659 USDC (USDC) and 103.57 tBTC v2, worth over $11.5 million.
Blockchain security company PeckShield also called the transfer an exploit, with onchain data showing the funds have since been converted into Ether. The wallet shows a balance of 5,402 Ether, worth over $11.4 million, according to Etherscan.
Cointelegraph reached out to Verus for comment. The protocol had not publicly confirmed the exploit at the time of publication.
Source: Blockaid
Crypto hackers stole more than $168.6 million in crypto from 34 decentralized finance protocols in the first quarter of 2026. April saw the two largest hacks of the year so far: the $280 million Drift Protocol exploit at the start of the month and the $292 million Kelp exploit.
Fraudulent transfer instructions likely caused exploit
Blockaid said the Verus Protocol incident resembles the $190 million Nomad Bridge exploit and the $325 million Wormhole exploit from 2022.
The attacker exploited the Verus Ethereum bridge by deceiving the protocol into believing transfer instructions were real, causing the bridge to send funds from its reserves to the attacker’s wallet, Blockaid said.
“NOT an ECDSA bypass. NOT a notary key compromise. NOT a parser/hash-binding bug. IS a missing source-amount validation in checkCCEValues – ~10 lines of Solidity to fix,” it added.
Blockchain security provider ExVul reached a similar conclusion and said the attacker used a “forged cross-chain import payload” that passed the “bridge’s verification flow” and resulted in “three attacker-attached transfers to the drainer wallet.”
Related: Aethir halts bridge exploit, promises compensation after $90K loss
“Cross-chain import proofs must bind every downstream transfer effect to authenticated payload data before execution,” the blockchain security provider said, adding that “Bridges should add strict payload-to-execution validation, defense in depth around proof verification and pause outbound flows when anomalous imports are detected.”
The incident follows THORChain confirming on Saturday that it suffered a $10 million exploit.
Magazine: The legal battle over who can claim DeFi’s stolen millions
