Gravity Bridge halts after $5.4M exploit tied to signing key compromise
In brief
- Gravity Bridge lost $5.4M through suspected signing key compromise affecting Ethereum-Cosmos transfers.
- Validators halted operations immediately; stolen funds included $4.3M USDC and $553K Wrapped Ether.
- Analyst Specter flagged unusual outflows Saturday; PeckShield confirmed the exploit.
- Stolen funds partially laundered via ChangeNow and Binance; theft wallet held ~2,102 ETH.
- Eighth major bridge exploit of 2026; cumulative losses now $328.6M across all incidents.
The Exploit Unfolds
Onchain analyst Specter flagged the unusual outflows in a Saturday post on X, detailing the theft wallet's contents. Security firm PeckShield confirmed the exploit, breaking down the stolen assets as approximately $4.3 million in USDC, 274 Wrapped Ether worth roughly $553,000, $434,000 in USDT, and 14.164 PAX Gold tokens valued at about $64,000.
The attackers moved quickly to obscure their tracks. PeckShield reported that a portion of the haul had already been laundered through instant-swap service ChangeNow and through Binance. At the time of PeckShield's analysis, the theft wallet was still holding around 2,102 ETH worth approximately $4.23 million, suggesting the attacker hadn't fully liquidated the position.
Bridge Design and Context
Gravity Bridge uses its full validator set to authorize transfers, making it one of the more decentralized bridge designs in the space. Its native token is Graviton (GRAV), used by validators to secure the bridge. The token is currently trading at $0.0007053, down 4% over the past day, according to data from CoinMarketCap.
The incident underscores a persistent vulnerability. JPMorgan analysts have flagged bridge security as a major challenge in an April research note. This exploit marks the eighth major bridge attack of 2026, with cumulative losses across those incidents reaching $328.6 million. Following the KelpDAO breach in April, which drained roughly $290 million and was attributed to North Korea's Lazarus Group, total value locked across DeFi fell from nearly $100 billion to around $86 billion in just two days.
Validators have been instructed to halt operations while the investigation proceeds. The team's statement emphasized the need for a thorough review before resuming normal bridge function.
Frequently asked questions
What is Gravity Bridge and how does it work?
Gravity Bridge is a decentralized blockchain that facilitates cross-chain transfers between Ethereum and Cosmos. It uses its full validator set to authorize transfers, making it one of the more decentralized bridge designs. The bridge's native token, Graviton (GRAV), is used by validators to secure the network.
How much was stolen and what assets were taken?
Approximately $5.4 million was stolen in the exploit. The stolen assets included $4.3 million in USDC, 274 Wrapped Ether worth roughly $553,000, $434,000 in USDT, and 14.164 PAX Gold tokens worth about $64,000. A portion of the funds had already been laundered through ChangeNow and Binance.
Why are bridge exploits becoming a major concern?
Bridge security has emerged as a critical vulnerability in the crypto ecosystem. JPMorgan analysts flagged it as a major challenge in an April research note. The Gravity Bridge exploit is the eighth major bridge attack of 2026, with cumulative losses reaching $328.6 million across all incidents this year.
