Analysts suspect the hacker used a forged cross-chain message or bypassed the verification logic in the contract.
The DeFi protocol Verus has suffered an attack on its cross-chain bridge to Ethereum (ETH). The attacker withdrew approximately $11.6 million in crypto assets.
Hot topic: BitMEX Co-Founder Cuts Bitcoin Price Forecast From $500K to $125K
How the Hack Happened
According to PeckShield and Blockaid, the hacker sent a low-value transaction and triggered a contract function to mass-withdraw reserves. The attack was likely based on a forged cross-chain import payload or a bypass of the verification logic in the contract, possibly missing source-amount validation in the checkCCEValues function.
GoPlus experts noted that the attacker bypassed verification and tricked the bridge into sending funds from its reserves to the hacker’s wallet. The attacker’s address was funded through the Tornado Cash mixer approximately 14 hours before the attack.
As a result, 103.6 tBTC, 1,625 ETH▲$1,692.73, and 147,000 USDC▲$0.9996 were withdrawn. Some of the assets were quickly converted into 5,402 ETH.
The Verus team temporarily halted network operations. Developers stated that most nodes automatically disconnected after detecting anomalies. A detailed report on the vulnerability has not yet been published.
Read more: Hackers Stole $169 Million From 34 DeFi Protocols — DefiLlama Q1 Report
Context of DeFi Attacks
This marks the fifth major hack in the DeFi sector since the beginning of May. In April 2026, hackers stole a record $635M, including the attacks on Kelp DAO ($292M) and Drift Protocol ($285M).
Total funds lost in DeFi due to hacks have exceeded $7.7B. More than $3.2B of that amount comes from cross-chain bridge vulnerabilities alone.
Learn more: What Is Crypto Cybersecurity? The Ultimate Guide to Protecting Digital Assets
