# An attacker has siphon off more than $11.5 million in crypto assets through a forged cross-chain transfer message.

*web3 · news · 2026-05-18 · Crypto News*

## Key points

- The Verus-Ethereum bridge exploit was due to missing source-amount validation in checkCCEValues.
- Attackers used a forged cross-chain import payload that bypassed the bridge’s verification process.
- The flaw could reportedly be fixed with about 10 lines of Solidity code.
- Attack methods resembled the 2022 Nomad and Wormhole bridge exploits involving fraudulent transfer instructions.
- The attacker initially funded their wallet via Tornado Cash shortly before the exploit.

**Companies:** Blockaid, PeckShield, ExVul

[Read the full story on Crypto News](https://crypto.news/verus-ethereum-bridge-drained-of-11-5m-in-forged-transfer-exploit/)

---

Canonical: https://newsio.io/n/5960a57e-8881-400f-b84d-5a9507924f8a/an-attacker-has-siphon-off-more-than-11-5-million-in-crypto-assets-through-a-for
Summarized by Newsio from Crypto News. https://newsio.io/how-it-works