The Verus Protocol's Ethereum bridge was hit by an exploit on Monday, with the attacker making off with at least $11.58 million in digital assets.
Blockchain security platform Blockaid flagged the hack, posting to X that its detection system caught the breach. Onchain data shows the attacker moved 1,625 Ether, 147,659 USDC, and 103.57 tBTC v2.
Blockaid says this appears to be "NOT an ECDSA bypass. NOT a notary key compromise. NOT a parser/hash-binding bug." Instead, it's a missing source-amount validation in checkCCEValues-a flaw fixable with roughly 10 lines of Solidity code.
Security firm ExVul confirmed the attacker used a "forged cross-chain import payload" that tricked the bridge's verification flow into approving three unauthorized transfers.
PeckShield also labeled the transfer an exploit. The funds have since been converted to Ether, with the attacker's wallet now holding over 5,400 ETH, worth about $11.4 million.
Verus had not publicly confirmed the incident at press time.
This is the latest in a string of high-profile DeFi attacks. Crypto hackers stole over $168 million in Q1 2026 alone. Earlier this year saw two massive exploits: a $280 million attack on Drift Protocol and a $292 million breach of Kelp. Just this past weekend, THORChain confirmed a $10 million exploit.
The Verus incident mirrors the $190 million Nomad Bridge and $325 million Wormhole exploits of 2022, experts note, underscoring the persistent vulnerability of cross-chain bridges.