- Cross-chain attacks are one of the largest security risks in decentralized finance (DeFi), with crypto bridge hacks exceeding $328 million in 2026.
- Vulnerabilities in bridge verification systems, validator infrastructure, and smart contracts were revealed by significant occurrences involving Kelp DAO, Verus-Ethereum, THORChain, ZetaChain, IoTeX, and CrossCurve.
- Nearly $292 million in losses were caused by the Kelp DAO incident alone, and attackers are increasingly using flawed validation logic instead of private keys.
Are Crypto Bridge Hacks Becoming DeFi’s Biggest Security Threat? Attackers are increasingly focusing on bridge verification systems, validator infrastructure, and smart contract vulnerabilities throughout decentralized finance (DeFi), and major cross-chain exploits have already depleted over $328 million in 2026.
The cryptocurrency sector has seen at least eight significant bridge-related hacks this year, with a total of $328.6 million in losses, according to blockchain security company PeckShield.
The seventh important bridge exploit of 2026 occurred on May 18 and included the Verus-Ethereum bridge.
How Hackers Drained $11.58M From The Verus Ethereum Bridge?
On April 18, attackers stole 116,500 rsETH, or roughly $292 million, from Kelp DAO’s LayerZero-powered bridge infrastructure. This was the largest exploit of the year.
According to investigators, hackers tricked the bridge into distributing rsETH without a valid deposit on a different chain by fabricating a LayerZero message.
Later, the attacker borrowed more than $236 million in ETH and WETH against the fictitious collateral using DeFi lending protocols, namely Aave, across Ethereum and Arbitrum.
The attacker got cash through Tornado Cash prior to the exploit, according to security firms like Cyvers and PeckShield, indicating a planned operation.
The hack was later connected to North Korea’s Lazarus Group by several cybersecurity experts.Attackers used vulnerabilities in the Verus-Ethereum bridge’s cross-chain verification procedure to steal around $11.58 million on May 18.
Cross-chain Verification Flaw Triggers $11.58M Verus Hack
Blockaid and PeckShield claim that hackers circumvented source-side balance verification checks to steal 1,625 ETH, 103.6 tBTC, and about 147,000 USDC. Afterwards, the pilfered money was converted into about 5,402 ETH.
According to researchers, the exploit was similar to flaws found in the 2022 Nomad bridge and Wormhole breaches. Attackers took advantage of missing validation logic that failed to verify whether transfer amounts matched rewards rather than compromising private keys.
Protocol for cross-chain liquidity. Following a $10.8 million exploit linked to a hacked validator node on May 15, THORChain momentarily stopped swaps and liquidity activities.
By taking advantage of flaws in THORChain’s GG20 threshold signature system, the breach depleted assets from its Asgard vaults. Since losses were restricted to protocol-owned liquidity, THORChain subsequently verified that user-controlled funds were unaffected.
ZetaChain, IoTeX, CrossCurve Hit In Rising Cross-chain Exploits
In April, ZetaChain revealed that a $333,000 hack using their GatewayEVM smart contract was the result of several flaws. IoTeX, meanwhile, disclosed a $4.3 million attack that affected their ioTube bridge and was linked to a compromised validator key.
Additionally, CrossCurve lost around $3 million as a result of attackers using an Axelar-linked contract to spoof cross-chain messages, causing the protocol to halt bridge operations.
Concerns about DeFi security are more widespread at the time of the increase in bridge exploits. Cross-chain infrastructure is increasingly at risk, as evidenced by data from DeFiLlama that indicates DeFi protocols documented losses of over $20 million in May alone and breaches exceeding $606 million in April.
You need to login in order to Like
Leave a comment