The failure was in the validation of the financial support, according to Blockaid.
PeckShield says there have been 8 bridge attacks since mid-May.
The bridge that links the Verus and Ethereum networks was drained for approximately USD 11.58 million in an attack carried out on May 17, according to the on-chain cybersecurity firm Blockaid. The stolen tokens were 1,625 ethers (ETH), 103.6 tBTC (a wrapped version of bitcoin) and $147,000 in the USDC stablecoin. The Verus team has not issued an official statement yet.
At the time of writing, the address associated with the hacker maintains about USD 11.4 million in etherconverted from the assets removed from the bridge, according to data from Arkham.
The failure: absent financial support, valid cryptographic proof
According to the Blockaid team, the bridge smart contract linking both chains correctly verified three elements: the Verus notarized state root (with eight out of fifteen valid notary signatures), the Merkle proof of cross-chain export, and that the hash of the transfer package coincided with the one committed to the export.
What it did not verify was that the amounts declared in that export (through functions such as totalAmounts, totalBurned, totalFees) were effectively backed by value locked or burned on the source chain.
A cross-chain bridge (a mechanism that allows assets to be moved from one network to another without a centralized intermediary) depends on each payment at the destination being backed by an equivalent block-or-burn at the origin. The Verus-Ethereum bridge verified the formal integrity of messages, but not that economic correspondenceaccording to Blockaid researchers.
The attacker constructed a transaction of just 0.02 VRSC (Verus native token) costing approximately $10 in fees, whose export field compromised a transfer hash but declared empty source amounts. The Verus network accepted that transaction as valid; the notaries signed the resulting state root without detecting anomaly.
When the attacker called the function submitImports on Ethereum with the serialized packet, the contract verified that the hash matched, decoded the blob, and released the funds from its reservesaccording to Blockaid. According to this team, incorporating this economic validation into the function checkCCEValues of the contract would require approximately ten lines of Solidity.
According to BlockSec Phalcon, another on-chain cybersecurity firm, between message verification and payment execution on Ethereum There is no control that confirms whether the economic support in the chain of origin is sufficient. This firm also clarified that the deployed contract is not open source and that its analysis is based on the attack transactions and the public repository, which may not reflect the complete implementation.
One attack among many
Since mid-May 2026, eight exploits against cross-chain exchange protocols have accumulated USD 328.6 million in lossesaccording to security analysts at the PeckShield platform. Among them, the hacks to KelpDAO and LayerZero, as well as the one suffered by the Hyperbridge between Polkadot and Ethereum.
The firm included in that account the recent hack of THORChain, a platform that operates as a decentralized exchange (DEX) and not strictly as a bridge, although it also facilitates exchanges between different chains.
The attack on the Verus-Ethereum bridge joins a list of incidents that share the same pattern: smart contracts that verify the form of the messages they receive, but not the value behind them.