Gravity Bridge has lost about $5.4 million following an early drain on Saturday that security researchers linked to a possible compromise of the signing key.
Summary
- Gravity Bridge lost about $5.4 million after security researchers flagged unusual withdrawals linked to a possible compromise of the signing key.
- PeckShield said the stolen assets included USDC, wrapped ether, USDT and PAXG, with some funds moved through ChangeNow and Binance.
- The Gravity team stopped the bridge and asked validators and orchestrators to stop while it investigates the incident.
Chain analyst Spectrum He first pointed out the unusual withdrawals, saying the pattern suggested the bridge’s signing keys might have been compromised rather than its smart contract code. Security company PeckShield later published a similar assessment and shared a breakdown of the stolen assets.
Gravity Bridge stops operations after leak of funds
According to PeckShield, the stolen assets included around $4.3 million worth of USDC, 274 wrapped ether valued at around $553,000, $434,000 worth of USDT, and 14.16 PAXG worth around $64,000. The firm said the funds were moved to a wallet ending in 7C62da1F9.
Specter identified the affected Gravity Bridge contract as an address ending in 1F2D906. The analyst said the transaction pattern appeared consistent with unauthorized withdrawals approved via compromised authorization rather than a direct exploitation of contract logic.
The Gravity team later confirmed an incident on X and asked validators to stop their validators and orchestrators while the investigation continues. In another update, the team said the bridge had been stopped while it reviewed the attack.
The researchers point to the authorization layer.
Gravity Bridge connects Ethereum to the Cosmos ecosystem by locking assets on Ethereum and minting tokens reflected in Cosmos. The validators’ signatures authorize the movement of assets across the bridge.
According to Spectre’s initial evaluation, an attacker who controls enough valid signing keys could make withdrawals appear legitimate to the system. PeckShield’s report also focused on stolen funds and the movement of assets after the breach.
The Gravity team has not released an autopsy, so the exact entry point remains unconfirmed. Their public updates have only confirmed the incident, the termination, and the ongoing investigation.
Attacker moves funds through swap services
PeckShield said some of the stolen funds had already been moved through ChangeNow and Binance after the attack. The firm also reported that the stolen wallet still contained around 2,100 ETH, valued at around $4.23 million, when it posted its update.
A snapshot of the wallet shared by Specter via Arkham showed a related address containing approximately $4.16 million in ether. These movements show that investigators are tracking funds in various services and wallets.
Gravity Bridge was built by contributors, including the Althea team, and is secured by the Graviton or GRAV token. The protocol has not yet explained whether validator infrastructure, private keys, or another operational weakness allowed the withdrawals.
If early assessments are confirmed, the Gravity Bridge incident would join other 2026 bridge attacks in which key management flaws, rather than audited contract code, played a central role. Similar concerns arose in the seaweed and Resolv earlier this year, according to security researchers cited in those cases.
TRM Labs has reported that bridge attacks will continue to be a major source of crypto losses in 2026. The Gravity Bridge loss is smaller than some previous bridge breaches, including the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
