Verus cross-chain bridge stolen for $11.58 million! DeFi hacker disasters out of control, 13 attacks already erupted in May

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯2275 words

Author: HIBIKI, Crypto City Verus cross-chain bridge hacked, over $11.58 million lost The privacy-focused and decentralized blockchain network Verus saw its Ethereum cross-chain bridge suffer a hacker attack yesterday (18th), resulting in a loss of approximately $11.58 million. The official team has yet to respond to the public or media. According to investigations by security firms PeckShield and Blockaid, on-chain data shows that the attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge, subsequently swapping all stolen assets for 5,402 ETH. 🚨 Community alert: Blockaid's exploit detection system has identified an on-going exploit on the @veruscoin Verus-Ethereum Bridge (https://t.co/HEwYZqFEfC). ~$11.58M drained so far.More details in🧵 — Blockaid (@blockaid_) May 18, 2026 Security firm GoPlus further analyzed that the attacker likely sent low-value transactions to the bridge contract and called specific functions to trigger a bulk transfer of reserve assets to the hacker's wallet. This incident was likely caused by forged cross-chain message verification, bypassed withdrawal logic, or access control vulnerabilities. SlowMist founder Yu Xian also pointed out that the theft might have been caused by the attacker constructing a forged Merkle proof that passed verification on the Verus Ethereum bridge (which is not open-source), allowing the funds (ETH/tBTC/USDC) to be withdrawn. Specific details require further verification. Checked it, this @VerusCoin bridge was hacked for about $11.5M, funds are settled at: https://t.co/K57RnWVO5c The cause of the theft may be that the attacker constructed a forged Merkle proof, which passed the verification of the Verus Ethereum bridge (not open source), and then successfully withdrew the funds (ETH/tBTC/USDC). Specific details need to be verified. Image from https://t.co/rlIorNk6Bd https://t.co/hCZSWedUVV — Cos(余弦)😶🌫️ (@evilcos) May 18, 2026 Additionally, about 14 hours before the attack, the attacker's address transferred 1 ETH as initial capital through the mixer Tornado Cash. As of now, the Verus official team has not issued a public response regarding this incident. Verus incident occurs three days after the THORChain exploit The attack on the Verus cross-chain bridge comes just three days after another well-known cross-chain liquidity protocol, THORChain, was hacked. Crypto City reported that THORChain confirmed a hacker attack on May 15, with losses totaling approximately $10.8 million. After the abnormal transactions were discovered, the official team immediately suspended trading and certain cross-chain functions, and collaborated with security teams to launch an investigation. Preliminary investigations suggest that the hacker likely exploited vulnerabilities in the GG20 TSS multi-signature mechanism and malicious node collaboration. However, individual user wallets were not compromised, as losses were concentrated in the protocol's own liquidity and internal asset pools. DeFi hackers shift targets to infrastructure layer, increasing stealth and destructive power This year has been turbulent for DeFi. According to DeFiLlama data, before the Verus incident, 12 DeFi protocols had already been attacked in May 2026, with cumulative losses exceeding $20 million for the month. Including Verus, the count reaches 13, with losses reaching the tens of millions of dollars. Recent hacker attacks indicate that attackers have shifted their focus from simply searching for smart contract vulnerabilities to attacking the deeper infrastructure layer. The risks of cross-chain protocols are far higher than single-chain DeFi because their architecture involves complex links such as cross-chain information synchronization, verification nodes, asset routing, and multi-signature schemes. Today's infrastructure-layer attacks include Remote Procedure Calls (RPC), verification networks, oracles, and cross-chain messaging systems. These types of attacks are often harder to detect, and once successful, can easily impact and transfer large-scale funds directly. Taking the KelpDAO hack in early 2026 as an example, the protocol lost as much as $292 million in a short period. A report later released by the cross-chain protocol LayerZero stated that the core issue was that KelpDAO's cross-chain configuration used a single-validator model. By polluting the RPC, the hacker tampered with on-chain state information of certain nodes, causing the validator to misjudge the authenticity of the information, ultimately successfully forging cross-chain messages and bypassing security checks.

Data Status✓ Full text extractedRead Original (區塊客)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-05-18

May’s DeFi Hack Tally Grows as Verus Bridge Reportedly Loses $11.58 Million

Similarity 170%關鍵字 verus/defi同分類 hot

2026-05-18

Verus Ethereum bridge reportedly exploited for $11.6M in latest DeFi attack

Similarity 130%關鍵字 verus/defi

2026-05-18

Verus Ethereum Cross-Chain Bridge Attacked! Blockaid Monitoring: Losses Exceed $11.58 Million

Similarity 130%關鍵字 verus/萬美元

2026-05-27