Gravity Bridge lost about $5.4 million after an early drain on Saturday that security researchers linked to a potential major settlement to be signed.
summary
- Gravity Bridge lost about $5.4 million after security researchers flagged unusual withdrawals linked to a potential compromise of its signing key.
- PeckShield said the stolen assets included USDC, wrapped ether, USDT, and PAXG, with some funds moved through ChangeNow and Binance.
- The Gravity team stopped the bridge and asked auditors and coordinators to stop while they investigated the incident.
On-chain analyst ghost The unusual withdrawals were first reported, saying the pattern suggested that the bridge’s signature keys may have been compromised rather than its smart contract code. Security firm PeckShield later published a similar assessment and shared details of the stolen assets.
Gravity Bridge ceases operations after depleting funds
According to PeckShield, the stolen assets included approximately $4.3 million in USDC, 274 wrapped ether worth approximately $553,000, $434,000 in USDT, and 14.16 PAXG worth approximately $64,000. The company said the funds moved to a wallet ending with the number 7C62da1F9.
Specter identified the affected Gravity Bridge contract as an address ending in 1F2D906. The transaction pattern appears consistent with unauthorized withdrawals that were approved through a compromised license rather than directly exploiting contract logic, the analyst said.
The Gravity team later confirmed that the incident occurred on X and asked the auditors to suspend the auditors and moderators while the investigation continued. In another update, the team said the bridge was down while the attack was being reviewed.
Researchers refer to the delegation layer
Gravity Bridge connects Ethereum to the Cosmos ecosystem by locking assets on Ethereum and minting corresponding tokens on it. universe. Validator signatures allow the movement of assets across the bridge.
According to Specter’s early assessment, an attacker with control of enough valid signing keys could make withdrawals appear legitimate to the system. The PeckShield report also focused on stolen funds and the movement of assets after attrition.
The Gravity team has not released a post-mortem report, so the exact entry point remains uncertain. Its public updates only confirmed the incident, the stop, and the ongoing investigation.
The attacker transfers funds through swap services
PeckShield said a portion of the stolen funds had already moved through ChangeNow and Binance after the attack. The company also stated that the stolen wallet still contained about 2,100 Ethereum, worth approximately $4.23 million, when it published its update.
A wallet snapshot shared by Specter via Arkham showed a related address containing approximately $4.16 million in ether. These movements show that investigators are tracking funds across multiple services and wallets.
Gravity Bridge was built by contributors, including the Althea team, and is secured by the Graviton or GRAV token. The protocol has not yet clarified whether the validator infrastructure, private keys, or other operational vulnerability allows withdrawals.
If early assessments are confirmed, the Gravity Bridge incident would join other bridge attacks of 2026 in which major management failures, rather than audited contract code, played a central role. Similar concerns arose in Seaweed dao and Resolv incidents earlier this year, according to security researchers cited in those cases.
TRM Labs reports that bridge attacks remain a major source of cryptocurrency losses in 2026. Gravity Bridge’s loss is lower than some previous bridge breaches, including the $190 million Nomad exploit in 2022 and the $81.5 million Orbit Bridge hack in 2024.
