The Gravity Bridge suffered an estimated loss of $5.4 million following Saturday morning’s flooding that security researchers linked to a critical sign failure.
Summary
- Gravity Bridge lost nearly $5.4 million after security researchers flagged an unusual withdrawal associated with the signing key agreement.
- PeckShield said the stolen assets included USDC, wrapped ether, USDT, and PAXG, while other funds were transferred through ChangeNow and Binance.
- The Gravity team stopped the bridge and asked the conductors and orchestra to stop while they investigated the incident.
On-chain analyst Specter first flagged the unusual withdrawals, saying the pattern suggested the bridge’s signing keys may be vulnerable rather than smart contract code. Security firm PeckShield later posted a similar assessment and shared a breakdown of the stolen goods.
Gravity Bridge stops working after the bag is removed
According to PeckShield, the stolen assets include approximately $4.3 million in USDC, 274 wrapped ether valued at approximately $553,000, $434,000 in USDT, and 14.16 PAXG worth approximately $64,000. The company said the funds were transferred to a fund ending in 7C62da1F9.
Specter has identified the affected Gravity Bridge contract as having an address ending in 1F2D906. The analyst said the pattern of transactions appears to be consistent with unauthorized withdrawals authorized through compromised authorizations rather than direct exploitation of the concept of the contract.
The Gravity team later confirmed the incident to X and asked the validators to suspend their validators and developers while the investigation continued. In another update, the team said the bridge has been suspended as it reviews the attack.
Researchers identified a layer of authorization
Gravity Bridge connects Ethereum to the Cosmos ecosystem by locking assets to Ethereum and creating mirrored tokens in Cosmos. Confirmation signatures authorize the movement of goods across the bridge.
According to Specter’s early tests, an attacker in control of enough valid signing keys can make withdrawals appear legitimate to the system. The PeckShield report also focused on stolen funds and the movement of goods after the drainage.
The Gravity team has not released the postmortem, so the exact point of entry is not confirmed. Its public updates only confirmed the incident, suspension, and ongoing investigation.
The attacker transfers money through exchange services
PeckShield said that part of the stolen funds have already been transferred to ChangeNow and Binance after the attack. The company also reported that the stolen wallet still holds about 2,100 ETH, worth close to $4.23 million, when it published its update.
A summary of the fund shared by Specter with Arkham showed the associated address holding about $4.16 million in ether. This move shows that investigators are tracking funds across several services and wallets.
Gravity Bridge is being built by contributors, including the Althea team, and is secured by the Graviton token, or GRAV. The protocol has not specified whether the authentication infrastructure, private keys, or other operational weaknesses allowed the revocation.
If early tests are confirmed, the Gravity Bridge incident could join other bridge attacks in 2026 where critical management failures, rather than audited contract code, played a key role. Similar concerns arose in the Kelp DAO and Resolv incidents earlier this year, according to security researchers cited in those cases.
TRM Labs reported that bridge attacks remain the biggest source of crypto losses in 2026. The loss of the Gravity Bridge is less than other previous bridge breaches, including the Nomad $190 million hack in 2022 and the Orbit Bridge hack of $81.5 million in 2024.
