Gravity Bridge misplaced about $5.4 million in a breach early Saturday morning through which safety researchers flagged a potential signing key compromise.
abstract
- Gravity Bridge misplaced roughly $5.4 million after safety researchers reported uncommon withdrawals associated to potential signing key compromise.
- Peckshield stated the stolen property included USDC, WrapEther, USDT and PAXG, with some funds being moved by means of ChangeNow and Binance.
- The Gravity staff shut down the bridge and requested the Verifier and Orchestrator to take action whereas they examine the incident.
On-chain analyst Spector first flagged the weird withdrawals, saying the sample suggests the bridge’s signing keys, somewhat than the good contract code, could have been compromised. Safety agency PecShield later posted an analogous evaluation and shared a breakdown of the property stolen.
Gravity Bridge suspends operations as a result of fund outflow
Based on PeckShield, the stolen property included roughly $4.3 million in USDC, 274 items of Wrapped Ether valued at roughly $553,000, and 14.16 PAXG valued at roughly $434,000 in USDT, roughly $64,000. The corporate stated the funds have been moved to wallets ending in 7C62da1F9.
Specter recognized the affected Gravity Bridge contracts as addresses ending in 1F2D906. Analysts stated this buying and selling sample seems to be per fraudulent withdrawals approved by fraudulent authorizations somewhat than a direct abuse of contract logic.
The Gravity staff subsequently confirmed the incident concerning X and requested validators to droop their validators and orchestrators whereas the investigation continues. In a separate replace, the staff stated the bridge had been shut down because it investigated the assault.
Researchers level to authorization layer
Gravity Bridge connects the Ethereum and Cosmos ecosystems by locking property on Ethereum and minting mirrored tokens on Cosmos. Validator signatures enable motion of property throughout the bridge.
Specter’s preliminary analysis means that an attacker who controls a ample variety of legitimate signing keys might make withdrawals seem official to the system. Peckshield’s report additionally targeted on the stolen funds and the motion of property after the breach.
The Gravity staff has not revealed a autopsy, so the precise entry level stays unconfirmed. The newest data launched solely confirmed the incident, suspension, and ongoing investigation.
Attacker strikes funds by means of swap service
Peckshield stated among the stolen funds had already been routed by means of ChangeNow and Binance after the assault. The corporate additionally reported that on the time of publishing the most recent data, roughly 2,100 ETH (price roughly $4.23 million) was nonetheless saved within the stolen pockets.
A pockets snapshot shared by Specter by means of Arkham confirmed related addresses holding roughly $4.16 million in ether. These actions point out that investigators are monitoring funds throughout a number of providers and wallets.
Gravity Bridge was constructed by contributors, together with the Althea staff, and is secured by the Graviton (GRAV) token. The protocol doesn’t but clarify whether or not the validator’s infrastructure, non-public keys, or different operational weaknesses allowed the withdrawal.
If preliminary assessments are confirmed, the Gravity Bridge incident would be part of different 2026 bridge assaults through which key administration failures somewhat than audited contract code performed a central position. Related issues emerged within the Kelp DAO and Resolv incidents earlier this 12 months, in accordance with safety researchers cited in these incidents.
TRM Labs stories that bridge assaults will stay the main reason for cryptocurrency losses in 2026. Gravity Bridge’s losses are small in comparison with some previous bridge breaches, together with the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
