Gravity Bridge has lost about $5.4 million following an early Saturday drain that security researchers linked to a possible signing key compromise.
Summary
- Gravity Bridge lost about $5.4 million after security researchers flagged unusual withdrawals tied to a possible signing-key compromise.
- PeckShield said the stolen assets included USDC, wrapped ether, USDT, and PAXG, with some funds moved through ChangeNow and Binance.
- The Gravity team halted the bridge and asked validators and orchestrators to stop while it investigates the incident.
On-chain analyst Specter first flagged the unusual withdrawals, saying the pattern suggested that the bridge’s signing keys may have been compromised rather than its smart contract code. Security firm PeckShield later posted a similar assessment and shared a breakdown of the stolen assets.
Gravity Bridge halts operations after fund drain
According to PeckShield, the stolen assets included about $4.3 million in USDC, 274 wrapped ether valued at around $553,000, $434,000 in USDT, and 14.16 PAXG worth around $64,000. The firm said the funds moved to a wallet ending in 7C62da1F9.
Specter identified the affected Gravity Bridge contract as an address ending in 1F2D906. The analyst said the transaction pattern appeared consistent with unauthorized withdrawals approved through compromised authorization rather than a direct exploit of contract logic.
The Gravity team later confirmed an incident on X and asked validators to stop their validators and orchestrators while the investigation continues. In another update, the team said the bridge had been halted as it reviewed the attack.
Researchers point to the authorization layer
Gravity Bridge connects Ethereum with the Cosmos ecosystem by locking assets on Ethereum and minting mirrored tokens on Cosmos. Validator signatures authorize asset movement across the bridge.
According to Specter’s early assessment, an attacker who controls enough valid signing keys could make withdrawals appear legitimate to the system. PeckShield’s report also focused on the stolen funds and the movement of assets after the drain.
The Gravity team has not released a postmortem, so the exact entry point remains unconfirmed. Its public updates have only confirmed the incident, the halt, and the ongoing investigation.
Attacker moves funds through swap services
PeckShield said part of the stolen funds had already moved through ChangeNow and Binance after the attack. The firm also reported that the stolen wallet still held about 2,100 ETH, valued near $4.23 million, when it published its update.
A wallet snapshot shared by Specter through Arkham showed a related address holding roughly $4.16 million in ether. These movements show that investigators are tracking the funds across several services and wallets.
Gravity Bridge was built by contributors, including the Althea team, and is secured by the Graviton, or GRAV, token. The protocol has not yet explained whether validator infrastructure, private keys, or another operational weakness allowed the withdrawals.
If the early assessments are confirmed, the Gravity Bridge incident would join other 2026 bridge attacks where key-management failures, rather than audited contract code, played a central role. Similar concerns appeared in the Kelp DAO and Resolv incidents earlier this year, according to security researchers cited in those cases.
TRM Labs has reported that bridge attacks remain a major source of crypto losses in 2026. The Gravity Bridge loss is smaller than some past bridge breaches, including the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
