Verus Bridge Exploit: How a $10 Transaction Drained $11.4 Million

On May 18, 2026, the Verus-Ethereum Bridge lost approximately $11.4 million in a single exploit transaction.

The attacker paid roughly $10 in fees. The bridge released everything.

What makes this incident especially alarming is that the system behaved exactly as designed.

This exploit exposed a deeper structural weakness still present across many cross-chain bridges in DeFi.

What Happened?

The Verus-Ethereum Bridge enables asset transfers between the Verus blockchain and Ethereum.

The protocol relied on a notary system where at least 8 out of 15 notaries had to cryptographically sign a state root before it was accepted as valid.

The bridge successfully verified those signatures.

But it failed to verify whether the underlying assets on the Verus side actually existed.

According to Blockaid, the root cause was:

“Missing source-amount validation in the checkCCEValues process.”

In simple terms, the attacker was able to create a cross-chain transfer request with an empty source-side payload. No real assets were locked on the Verus chain.

The notaries signed the state root because the cryptographic structure itself appeared valid. The bridge then accepted that state and released real funds from its Ethereum reserves.

The result: approximately $11.4 million drained from the bridge.

This Isn’t a New Type of Attack

The attack category is painfully familiar.

Major bridge exploits caused by source-destination validation failures include:

• Wormhole — $325M lost
• Nomad — $190M lost

Four years later, the same fundamental validation issue is still being exploited.

Pre-Attack Activity

Roughly 14 hours before the exploit, the attacker’s execution wallet received 1 ETH from Tornado Cash.

Tornado Cash Funding Address

0x47ce0c6ed5b0ce3d3a51fdb1c52dc66a7c3c2936

Attacker Execution Wallet

0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777

This type of pre-funding pattern closely resembles operational behavior previously associated with organized threat actors, including Lazarus Group-linked activity seen before the Drift Protocol and KelpDAO exploits in April 2026.

Attribution in the Verus incident remains unconfirmed.

The Exploit Transaction

Exploit Transaction Hash

0x6990f01720f57fc515d0e976a0c4f8157e0a9529194c4c15d190e98d087eb321

Target Bridge Contract

0x71518580f36feceffe0721f06ba4703218cd7f63

The stolen assets were moved into the following holding wallet:

Holding Wallet

0x65Cb8b128Bf6e690761044CCECA422bb239C25F9

Assets Drained

Immediately after the exploit, the attacker swapped the stolen tBTC into ETH using a swap contract.

tBTC Swap Contract

0x00000011f84b9aa48e5f8aa8b9897600006289be

After consolidation, the attacker controlled approximately:

5,402 ETH (~$11.4M)

Where Did the Money Go?

The stolen funds split into two major routes.

Route A — USDC Flow Into Binance

The USDC funds were routed through a DEX address before reaching a Binance deposit wallet.

Holding Wallet
   ↓
DEX Routing Address
0xbee3211ab312a8d065c4fef0247448e17a8da000
   ↓
⚠ Binance Deposit Address
0xb300000b72deaeb607a12d5f54773d1c19c7028d

Additional WETH and USDT inflows were also detected at the Binance deposit address.

This is currently the strongest actionable lead in the investigation.

If Binance compliance responds quickly, investigators may still have an opportunity to:

• Freeze assets
• Identify linked KYC accounts
• Trace additional laundering activity

Route B — ETH Laundering Path

The ETH moved through an intermediate address before disappearing further downstream.

Holding Wallet
   ↓
Intermediate Address
0x83928b7f2a85bdde9854f27a1e78aac29316f23b
   ↓
Current Balance: 0 ETH
Final Destination: UNKNOWN

The ETH has already left the intermediate address.

Investigators are now monitoring for:

• Mixer usage
• Additional bridge hops
• Exchange deposits
• OTC cash-out activity

Priority Actions

1. Emergency Binance Freeze Request

Critical address:

0xb300000b72deaeb607a12d5f54773d1c19c7028d

Because the wallet received direct exploit proceeds, there is sufficient basis for an emergency freeze request and KYC disclosure inquiry.

Every hour matters.

2. Continue ETH Route Tracking

Tracking target:

0x83928b7f2a85bdde9854f27a1e78aac29316f23b

All outbound transactions from this address should be mapped and flagged across major exchanges before the attacker reaches a successful cash-out point.

The Bigger Problem With Bridge Security

According to PeckShield, at least eight major bridge exploits occurred between February and mid-May 2026, resulting in combined losses exceeding $328.6 million.

The Verus exploit is simply the latest example.

The economics are staggering:

• Attack cost: ~$10
• Profit: ~$11.4M
• Estimated ROI: ~1,140,000x

What makes this even more frustrating is that the fix appears relatively straightforward.

According to Blockaid, the bridge needed an additional validation step to confirm source-side asset amounts before releasing destination-side funds.

That validation did not exist.

And it is the same class of failure that contributed to the Wormhole and Nomad exploits years earlier.

Final Thoughts

The Verus Bridge exploit was not just a smart contract bug.

It exposed a broader issue still affecting cross-chain infrastructure today:

Many bridges verify cryptographic validity without verifying actual economic reality.

A valid signature does not necessarily mean valid collateral exists.

Until cross-chain security standards enforce both layers of verification, bridges will likely remain one of the most heavily exploited sectors in DeFi.