Gravity Bridge has misplaced about $5.4 million following an early Saturday drain that safety researchers linked to a attainable signing key compromise.
Abstract
- Gravity Bridge misplaced about $5.4 million after safety researchers flagged uncommon withdrawals tied to a attainable signing-key compromise.
- PeckShield mentioned the stolen belongings included USDC, wrapped ether, USDT, and PAXG, with some funds moved by means of ChangeNow and Binance.
- The Gravity workforce halted the bridge and requested validators and orchestrators to cease whereas it investigates the incident.
On-chain analyst Specter first flagged the weird withdrawals, saying the sample advised that the bridge’s signing keys might have been compromised slightly than its good contract code. Safety agency PeckShield later posted the same evaluation and shared a breakdown of the stolen belongings.
Gravity Bridge halts operations after fund drain
Based on PeckShield, the stolen belongings included about $4.3 million in USDC, 274 wrapped ether valued at round $553,000, $434,000 in USDT, and 14.16 PAXG value round $64,000. The agency mentioned the funds moved to a pockets ending in 7C62da1F9.
Specter recognized the affected Gravity Bridge contract as an tackle ending in 1F2D906. The analyst mentioned the transaction sample appeared per unauthorized withdrawals authorised by means of compromised authorization slightly than a direct exploit of contract logic.
The Gravity workforce later confirmed an incident on X and requested validators to cease their validators and orchestrators whereas the investigation continues. In one other replace, the workforce mentioned the bridge had been halted because it reviewed the assault.
Researchers level to the authorization layer
Gravity Bridge connects Ethereum with the Cosmos ecosystem by locking belongings on Ethereum and minting mirrored tokens on Cosmos. Validator signatures authorize asset motion throughout the bridge.
Based on Specter’s early evaluation, an attacker who controls sufficient legitimate signing keys may make withdrawals seem official to the system. PeckShield’s report additionally targeted on the stolen funds and the motion of belongings after the drain.
The Gravity workforce has not launched a postmortem, so the precise entry level stays unconfirmed. Its public updates have solely confirmed the incident, the halt, and the continuing investigation.
Attacker strikes funds by means of swap companies
PeckShield mentioned a part of the stolen funds had already moved by means of ChangeNow and Binance after the assault. The agency additionally reported that the stolen pockets nonetheless held about 2,100 ETH, valued close to $4.23 million, when it revealed its replace.
A pockets snapshot shared by Specter by means of Arkham confirmed a associated tackle holding roughly $4.16 million in ether. These actions present that investigators are monitoring the funds throughout a number of companies and wallets.
Gravity Bridge was constructed by contributors, together with the Althea workforce, and is secured by the Graviton, or GRAV, token. The protocol has not but defined whether or not validator infrastructure, non-public keys, or one other operational weak point allowed the withdrawals.
If the early assessments are confirmed, the Gravity Bridge incident would be part of different 2026 bridge assaults the place key-management failures, slightly than audited contract code, performed a central function. Comparable considerations appeared within the Kelp DAO and Resolv incidents earlier this 12 months, in line with safety researchers cited in these instances.
TRM Labs has reported that bridge assaults stay a significant supply of crypto losses in 2026. The Gravity Bridge loss is smaller than some previous bridge breaches, together with the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
