DeFi protocol Verus has become the latest victim of a cross-chain bridge exploit, losing approximately $11.5 million to an attacker who targeted a vulnerability in the bridge connecting the Verus and Ethereum networks. The incident was independently flagged by three blockchain security firms: Blockaid, PeckShield, and GoPlus.

According to PeckShield's analysis, the attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC before converting the entire haul into 5,402 ETH. As of the time of writing, those funds remain sitting in the hacker's wallet — unmoved since the exploit.

The attack appears to have been carefully premeditated. Some 14 hours before the breach, the perpetrator used the Tornado Cash mixer to obtain funds for gas fees — a well-known tactic used by sophisticated actors looking to obscure their on-chain footprint ahead of an operation.

GoPlus researchers explained that the attacker submitted a low-value transaction and triggered a specific contract function that allowed them to drain the bridge's reserves in a single call. Security experts are pointing to two likely root causes: either a flaw in the withdrawal logic or a signature forgery vulnerability in the cross-chain message verification process. The Verus development team has not issued any public statement.

The Verus-Ethereum bridge has been live since October 2023, while the underlying protocol itself dates back to 2018, originally built around user privacy as a core feature.

The incident adds to a grim industry tally. Total losses from DeFi exploits have now surpassed $7.7 billion, with cross-chain bridge vulnerabilities alone accounting for more than $3.2 billion of that figure — making bridges consistently the most exposed surface in decentralized infrastructure.

May has already proven to be a particularly brutal month for the sector. Shortly before the Verus attack, $10 million was drained from the THORChain cross-chain protocol, with developers confirming the breach but denying any plans for a compensation program. In April, the DeFi space saw its largest single incident of the year when Kelp was exploited in an attack attributed to the North Korean Lazarus Group.