Verus-Ethereum Bridge Value-Binding Gap

In the early hours of May 18, 2026 (~00:54 GMT), the Verus-Ethereum bridge was drained of approximately $11.58 million — 1,625 ETH, 103.6 tBTC, and 147,000 USDC — after an attacker exploited a classic source/destination value-binding gap in the bridge's verification path. The attacker constructed a Verus-side export transaction worth just 0.02 VRSC whose payload committed to a payout instruction that released the full vault value on Ethereum. The stolen assets were swapped to 5,402.4 ETH and laundered through Tornado Cash, with attacker infrastructure traceable to a Tornado seed deposit staged in advance. Blockaid first surfaced the suspicious flow; the bridge was paused after the drain had completed.

What happened

The Verus-Ethereum bridge architecture, on paper, validates messages on both ends of the bridge — the Verus side confirms the export, the Ethereum side verifies the proof of export before releasing assets. In practice, the verification on both sides omitted a crucial field:

Neither side was required to validate that the source-burn value matched the destination-payout value.

The export transaction's payload contained a cryptographic commitment to a payout instruction. The Verus side checked that the export was well-formed and the user had paid the export fee. The Ethereum side verified the proof of export and executed whatever payout the committed payload specified. Nothing in the chain of checks compared the input value on Verus against the output value on Ethereum.

The attack:

1. The attacker constructed a Verus export transaction that burned 0.02 VRSC on the source side (a trivial amount, well under one US cent).
2. The transaction's payload committed to a payout instruction that specified the maximum extractable value from the Verus-side vault on Ethereum: 1,625 ETH, 103.6 tBTC, and 147,000 USDC.
3. The export was confirmed on Verus and the proof was relayed to the Ethereum bridge contract.
4. The Ethereum contract verified the proof was valid, did not compare the 0.02 VRSC source value against the multi-million-dollar payout, and released the full payout to the attacker.
5. The attacker immediately swapped the tBTC and USDC for ETH, ending up with 5,402.4 ETH (~$11.5M), and routed the proceeds into Tornado Cash. On-chain tracing tied the operation's gas-funding back to a Tornado seed deposit staged in advance, confirming pre-meditation.

Aftermath

• Bridge paused post-drain; no further outflows.
• No recovery: the funds were laundered into Tornado Cash within hours.
• The Verus team published a brief post-incident statement acknowledging the value-binding gap and committing to a redesign of the verification path.
• The incident pushed PeckShield's May 2026 bridge-exploit tally past $328.6M across eight incidents, prompting widespread "bridge hacks are back" coverage.

Why it matters

This is the same class of vulnerability that produced the two largest bridge incidents of 2022:

• Wormhole (Feb 2022, $325M) — Solana-side guardian-signature verification accepted a forged VAA because the signature-set check could be bypassed.
• Nomad (Aug 2022, $190M) — Ethereum-side process() function accepted any message whose root hashed to a zero-initialised slot, because the initialisation check didn't enforce a non-zero root.

In each case, the bridge's verification surface was wide enough that a single missing check on a single field broke the entire security model. Verus-Ethereum in 2026 is the same pattern, four years later, in a smaller protocol: the verification path didn't compare a single number — source-side value against destination-side payout — and that omission let an attacker pay 0.02 VRSC for $11.58M in real assets.

The lessons that the catalogue keeps re-stating after every instance of this pattern:

1. Source/destination value binding must be an inviolable check at the destination contract — independent of any signature, proof, or commitment from the source side. The destination has to know, in its own contract logic, what was burned to authorise what is being paid out.
2. Bridge verification surfaces should be minimised, not extended — every additional field in the payload that influences payout is another field that must be bound to source-side cost.
3. Pre-staged Tornado funding is a reliable on-chain indicator that an incident is operator-prepared rather than opportunistic — and is now sufficiently routine in bridge-attack tradecraft that monitoring for Tornado outflows to fresh wallets that subsequently interact with major bridges is a defensive standard.

Verus is a smaller protocol than Wormhole or Nomad, and the absolute loss is correspondingly smaller. But its place in the catalogue is to underline that the bridge security lessons of 2022 have not been universally absorbed — not even by protocols that had four years to learn from the public post-mortems of larger predecessors. In a single five-day window in May 2026, the catalogue gained three bridge or cross-chain incidents — Verus alongside THORChain and Echo Protocol — covering three distinct vector classes (validation gap, signing-scheme flaw, admin-key compromise) that together delivered nearly $100M in nominal value at risk.