The VerusCoin Ethereum bridge has been exploited, resulting in the loss of approximately $11.58 million in digital assets, including ETH, tBTC v2, and USDC.
🚨🚨🚨Security Alert: Verus-Ethereum Bridge Exploit@VerusCoin Ethereum Bridge suffered an exploit, resulting in the theft of 1,625.37 ETH, 103.57 tBTC v2, and 147,659 USDC valued at ~$11.58M.
🔍 Root Cause
A forged cross-chain import payload was submitted to `submitImports()`.…— ExVul (@exvulsec) May 18, 2026
According to on-chain data, the attacker submitted a forged cross-chain import payload that passed the bridge’s verification process. Once accepted, the system executed a series of transactions that transferred funds out of the protocol.
Hi @veruscoin It seems abnormal assets outflow (~$11.4m) from Verus-Ethereum Bridge: https://t.co/2Ol7cngtjY
The funds are currently parked in the following address: https://t.co/YaMyk4ffZH pic.twitter.com/UMhgLOtjSm
— PeckShield Inc. (@peckshield) May 18, 2026
Once accepted, the bridge automatically moved to execution, where funds were released without a final independent check to ensure the proof matched the legitimate cross-chain state.
Why the system failed
The core issue was not just weak verification, but a broken link between verification and action.
The bridge accepted a manipulated PartialTransactionProof during the proveImports stage. However, the later execution step (processTransactions) did not reconfirm that the approved proof was still valid and correctly bound to the resulting transfers.
This created a gap where a “passed” check effectively meant “execute,” even if the underlying input was forged. In simple terms, the system trusted the first check too much.
What this reveals about cross-chain bridges
This exploit highlights a deeper structural issue in cross-chain systems. Bridges are designed to move assets between chains that do not naturally trust each other. Yet, they often rely on internal assumptions of correctness once a proof passes an early validation step.
That assumption is risky. The key lesson is that verification cannot be treated as a one-time gate. It must be continuously enforced through execution, with strict binding between input proofs and final state changes.
Without that, attackers do not need to break cryptography — they only need to exploit gaps in workflow logic. This incident reinforces a broader reality: cross-chain bridges are still one of the most fragile layers in decentralized infrastructure, not because of blockchain failure, but because of system design assumptions.
The heightened focus comes as illicit cross-chain activity has surged to $21 billion according to Elliptic’s latest Cross-Chain Crime Report, a sharp increase from $7 billion in 2023. Criminals are exploiting decentralized exchanges, cross-chain bridges, and anonymous swap services to obscure transaction trails, evade sanctions, and execute large-scale scams.
Enjoyed this? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads and CoinMarketCap Community for seamless access to high-quality industry insights.
Take control of your crypto portfolio with DEFI PLANET PRO, DeFi Planet’s suite of analytics tools.
