Verus-Ethereum Bridge Exploited - $11.58M Drained

Another cross-chain bridge falls. The Verus-Ethereum Bridge was hit on May 17–18 in a forged cross-chain transfer attack, with attackers draining ~$11.58M in crypto.

What was stolen: 103.6 tBTC + 1,625 ETH + ~147K USDC

The hacker swapped everything into 5,402 ETH (~$11.4M) and parked it in a single wallet. Funding came via Tornado Cash ~14 hours before the drain — a textbook pre-attack setup.

Root cause (the important part):
This was NOT a key compromise, signature bypass, or hash collision. Per Blockaid, it was a missing source-amount validation, the bridge verified Merkle proofs and state roots correctly, but never checked if the source-chain transaction actually backed the payout with real value.

In simple terms: the attacker spent ~$10 in fees to forge $11.5M out. Same vulnerability class as the 2022 Nomad ($190M) and Wormhole ($325M) hacks.

CryptoPatel Summary:
Bridges remain DeFi's weakest link. "Cryptographically verified" ≠ "economically validated." Before bridging assets, check the protocol's audit history and never leave large funds idle on a bridge contract.

Verus team has not officially confirmed yet, figures are from Blockaid, PeckShield & ExVul.

Stay safe. ALWAYS DYOR.