Headline: Verus-Ethereum Bridge Loses $11.6M in Single Transaction Despite “No-Code” Security Claims
A hacker drained roughly $11.58 million from the Verus–Ethereum bridge in a single outbound transfer on May 17, 2026, hitting a cross‑chain project that had explicitly marketed itself as immune to smart‑contract exploits. The incident was flagged in real time by blockchain security firm Blockaid and later amplified by on‑chain intelligence account @coinxtreme_en on X.
What moved out
Blockchain monitors show the drainer wallet 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 received a single transfer made up of:
- ~1,625 ETH (~$3.43M)
- ~103.57 tBTC (~$7.96M)
- 147,000 USDC (~$147k)
On‑chain traces indicate most of the stolen assets were quickly swapped into ETH on Uniswap.
Why this stings
Verus marketed its bridge as relying on “protocol rules, not custom code,” promoting an architecture built around cryptographic proofs, notary witnesses and protocol‑level validation instead of bespoke smart‑contract logic — an approach intended to reduce the attack surface. The attack exposes the awkward irony that “no custom code to exploit” can still leave a bridge vulnerable in practice.
Suspicious timing suggests sophistication
The timeline around the exploit has raised red flags. Two days before the theft, Verus released an emergency update (version 1.2.14‑2) labeled urgent and mandatory, citing an unspecified vulnerability. According to @coinxtreme_en, the attacker’s wallet received funds via Tornado Cash about 11–13 hours after that announcement — a pattern consistent with a party that may have had prior knowledge of the flaw and used the update window to position attack infrastructure.
This pattern is familiar in DeFi: emergency patches that reveal the existence — but not the full scope — of a vulnerability can give sophisticated actors a narrow opportunity to strike before fixes are fully validated.
Broader implications for bridges and DeFi security
Cross‑chain bridges have been the single most-targeted layer in decentralized finance and account for a disproportionate share of DeFi losses since 2021. The Verus incident underscores persistent gaps between design assumptions and operational reality: elegant protocol models still need formal verification, independent audits, and the operational discipline to pause or restrict functionality when credible threats are identified.
Market reaction
Ethereum’s price showed further softness following the weekend, trading down roughly 10% over the past week and about 3% in the last 24 hours as of this writing.
Cover image: generated by ChatGPT. ETHUSD chart from TradingView.
Read more AI-generated news on: undefined/news
