Gravity Bridge has misplaced about $5.4 million following an early Saturday drain that safety researchers linked to a potential signing key compromise.
Abstract
- Gravity Bridge misplaced about $5.4 million after safety researchers flagged uncommon withdrawals tied to a potential signing-key compromise.
- PeckShield mentioned the stolen property included USDC, wrapped ether, USDT, and PAXG, with some funds moved by ChangeNow and Binance.
- The Gravity group halted the bridge and requested validators and orchestrators to cease whereas it investigates the incident.
On-chain analyst Specter first flagged the bizarre withdrawals, saying the sample steered that the bridge’s signing keys could have been compromised relatively than its sensible contract code. Safety agency PeckShield later posted the same evaluation and shared a breakdown of the stolen property.
Gravity Bridge halts operations after fund drain
In keeping with PeckShield, the stolen property included about $4.3 million in USDC, 274 wrapped ether valued at round $553,000, $434,000 in USDT, and 14.16 PAXG price round $64,000. The agency mentioned the funds moved to a pockets ending in 7C62da1F9.
Specter recognized the affected Gravity Bridge contract as an deal with ending in 1F2D906. The analyst mentioned the transaction sample appeared in step with unauthorized withdrawals accepted by compromised authorization relatively than a direct exploit of contract logic.
The Gravity group later confirmed an incident on X and requested validators to cease their validators and orchestrators whereas the investigation continues. In one other replace, the group mentioned the bridge had been halted because it reviewed the assault.
Researchers level to the authorization layer
Gravity Bridge connects Ethereum with the Cosmos ecosystem by locking property on Ethereum and minting mirrored tokens on Cosmos. Validator signatures authorize asset motion throughout the bridge.
In keeping with Specter’s early evaluation, an attacker who controls sufficient legitimate signing keys might make withdrawals seem professional to the system. PeckShield’s report additionally centered on the stolen funds and the motion of property after the drain.
The Gravity group has not launched a postmortem, so the precise entry level stays unconfirmed. Its public updates have solely confirmed the incident, the halt, and the continuing investigation.
Attacker strikes funds by swap companies
PeckShield mentioned a part of the stolen funds had already moved by ChangeNow and Binance after the assault. The agency additionally reported that the stolen pockets nonetheless held about 2,100 ETH, valued close to $4.23 million, when it printed its replace.
A pockets snapshot shared by Specter by Arkham confirmed a associated deal with holding roughly $4.16 million in ether. These actions present that investigators are monitoring the funds throughout a number of companies and wallets.
Gravity Bridge was constructed by contributors, together with the Althea group, and is secured by the Graviton, or GRAV, token. The protocol has not but defined whether or not validator infrastructure, non-public keys, or one other operational weak point allowed the withdrawals.
If the early assessments are confirmed, the Gravity Bridge incident would be part of different 2026 bridge assaults the place key-management failures, relatively than audited contract code, performed a central function. Related considerations appeared within the Kelp DAO and Resolv incidents earlier this 12 months, in accordance with safety researchers cited in these instances.
TRM Labs has reported that bridge assaults stay a significant supply of crypto losses in 2026. The Gravity Bridge loss is smaller than some previous bridge breaches, together with the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
