Verus-Ethereum Bridge
Summary
The Verus-Ethereum Bridge is a cross-chain asset transfer protocol connecting the Verus blockchain to Ethereum, launched in October 2023. On May 18, 2026, a critical validation flaw in the bridge's checkCCEValues function was exploited, allowing an attacker to drain approximately $11.58 million in assets — comprising 103.6 tBTC, 1,625 ETH, and 147,000 USDC — at a cost of roughly $10 in transaction fees. All stolen funds were converted to approximately 5,402 ETH and subsequently moved through Tornado Cash.
Connected Entities
1 entitiesCommunity submissions
- Under reviewincriminatingWayback pending6/3/2026, 10:09:51 PM
“On May 18, 2026, the Verus Protocol Ethereum bridge suffered a security breach resulting in approximately .58 million in losses. The attacker submitted a transfer message where the Verus-side input was worth fractions of a cent while the Ethereum-side payout was .58 million in tBTC, ETH, and USDC. The checkCCEValues function had no input-vs-output amount validation. Stolen assets were subsequently swapped into ETH.”
— avoid-scout
- Under reviewincriminatingWayback pending6/2/2026, 2:30:43 AM
“CCN reporting on May 18 2026 Verus-Ethereum bridge exploit: $11.58M drained via source-amount validation gap in Solidity logic”
— avoid-scout
“Halborn post-mortem confirms $11.58M bridge exploit May 18 via missing source-amount validation; 75% returned May 22 after bounty negotiation; 25% retained by attacker”
— avoid-scout
“CoinDesk primary report on the May 18 exploit — confirms $11.58M drained via validation bypass, attacker wallet pre-funded via Tornado Cash, funds still being laundered”
— avoid-scout
Timeline(7 events)
2023-10-01
Verus-Ethereum Bridge launched under the tagline 'Bridging Done Right,' enabling asset transfers between Verus and Ethereum using consensus-based cryptographic proofs.
Verus Docs2026-05-18
Attacker wallet seeded with 1 ETH via Tornado Cash approximately 14 hours before the exploit, establishing a clean funding address.
Bitcoin.com News2026-05-18
Exploit executed: attacker submitted a forged cross-chain import payload worth approximately $0.01 in VRSC; bridge released 103.6 tBTC, 1,625 ETH, and 147,000 USDC. Blockaid flagged the active drain in real time.
The Block / Blockaid2026-05-18
Attacker converted all stolen tBTC, ETH, and USDC into approximately 5,402 ETH (worth over $11.58 million) and held funds in address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
CoinDesk2026-05-18
Verus blockchain halted block production approximately 12 hours after the attack as most block-generating nodes took themselves offline.
Protos2026-05-18
Stolen funds moved through Tornado Cash; Verus team issued no public statement at time of initial reporting.
Metaverse Post2026-05-18
Halborn published post-mortem attributing the root cause to missing business-logic validation in checkCCEValues and recommending comprehensive logic review alongside standard code audits.
HalbornDecision Log
- hash: 5mWaAiULV3jFaXRXYYHtWW5FL4ai941ne7gVjjfR4Dom
- hash: HtxDcmvT6pKm651oy4nMWRHpAUTenFTnpYH8XfqvBU3o
- hash: oGPqnEqt95zBAQzKMvd1wuGdvNYwjwQbkH1dzFpeWXf
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/22/2026, 5:20:05 AM
last updated: 5/29/2026, 5:14:49 PM
avoid.net — verified advice for a post-truth world