Verus-Ethereum Bridge — Cross-chain Verification Bypass — May 18, 2026

Attacker: Attack EOA: 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 — drainer wallet: 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 (whitehat negotiation, 25% retained as bounty)

Funds moved to: 5,402.4 ETH consolidated on the drainer wallet; 4,052.4 ETH (~$8.5M) returned to Verus address 0xF9AB…C1A74 on 22 May 2026; 1,350 ETH (~$2.8M) kept as negotiated bounty.

Initial funding via Tornado Cash (1 ETH) ~14h before the attack. Drained assets converted to ETH via DEX routers and market makers within hours.

Timeline: On 18 May 2026 around 00:54 UTC, Blockaid detected the active exploit on the Verus-Ethereum Bridge. The attacker submitted a Verus transaction spending ~$0.01 in VRSC fees with a transfer blob containing empty source totals, signed by 8/15 notaries. The proof was then submitted to the Ethereum contract via submitImports() and the bridge paid out ~$11.58M in ETH, tBTC and USDC without validating that source totals match destination payouts (flaw in checkCCEValues, ~10 missing Solidity lines per Blockaid). Drained assets: 1,625 ETH + 103.6 tBTC + ~147,659 USDC, converted into 5,402 ETH. On 22 May 2026, PeckShield confirmed the return of 4,052.4 ETH (~$8.5M, 75% of the total) to the Verus team following a whitehat negotiation; 1,350 ETH (~$2.8M) kept as bounty. Same bug class as Wormhole-2022 and Nomad-2022: missing source↔destination economic link, correct cryptographic validation but missing economic validation.