# Verus-Ethereum Bridge Drained for $11.6 Million in Forged Merkle Proof Attack
The Verus-Ethereum bridge became the latest cross-chain infrastructure to fall victim to hackers, losing $11.6 million in an exploit that on-chain security platform Blockaid detected on May 18, 2026.
The attacker exploited a forged Merkle proof vulnerability to drain assets from the bridge, which connects the Verus blockchain to Ethereum. The stolen funds were swapped for 5,402 ETH and remain in the attacker’s wallet address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
## How the Exploit Worked
The attack exploited a weakness in how the bridge validates cross-chain transactions. Merkle proofs allow one blockchain to verify that a transaction occurred on another blockchain without running a full node. The Verus-Ethereum bridge failed to properly verify the authenticity of these proofs, letting the attacker forge a proof that faked a legitimate deposit on the Verus side.
Once the Ethereum-side bridge contract accepted the forged proof, it released funds that were never deposited. The attacker grabbed the bridged assets before operators could halt transactions.
Security firm PeckShield confirmed the attacker consolidated the stolen assets into ETH. The funds hadn’t moved as of initial reports.
## Bridge Exploits Keep Piling Up
The Verus bridge hack is part of a worsening trend. Cross-chain bridge exploits have now caused more than $329 million in losses in 2026 alone, according to data from blockchain security firms.
Earlier in May, the Gravity Bridge lost $5.4 million in a suspected signing key compromise, and the DxSale platform was drained for $7.3 million across 1,400 liquidity pools on BNB Chain. The Kelp DAO bridge hack in April — the largest DeFi exploit of 2026 at $292 million — showed that even audited bridge protocols stay vulnerable.
Bridge infrastructure has been a persistent weak point in crypto security since the earliest cross-chain protocols launched. Bridges require complex validation logic that must account for differences between blockchains, creating a large attack surface that sophisticated hackers keep hitting.
## OpenZeppelin Co-Founder: All DeFi Is Unsafe
The bridge hack comes amid growing alarm about DeFi security. OpenZeppelin co-founder Manuel Aráoz declared on May 26 that he now considers “all of DeFi unsafe,” warning that AI-powered coding agents have become superhuman at finding vulnerabilities in smart contracts.
Over $1.1 billion has been lost to DeFi hacks in the past 12 months, and 2026 is on track to surpass that figure. The Verus bridge exploit alone brings May’s DeFi hack total to over $17 million.
## What Users Should Do
For users with funds on the Verus-Ethereum bridge, the exploit drained the bridge contract directly — meaning user deposits held in the bridge were taken. Anyone who hadn’t withdrawn from the bridge may have lost their funds.
The broader lesson: cross-chain bridges carry significant security risk. Security experts recommend minimizing bridge usage and sticking to bridges that passed multiple independent audits, carry insurance coverage, and have long track records without prior incidents.
The Verus team hasn’t announced a recovery plan or compensation for affected users.
## FAQ
**How much was stolen in the Verus bridge hack?**
$11.6 million drained from the Verus-Ethereum bridge in a forged Merkle proof attack on May 18, 2026.
**What is a forged Merkle proof attack?**
A Merkle proof lets one blockchain confirm events on another. In a forged proof attack, the hacker creates a fake proof that tricks the bridge into releasing funds that were never deposited.
**Have the stolen funds been recovered?**
No. The attacker swapped the stolen assets for 5,402 ETH. The funds hadn’t moved as of the latest reports.
