Skip to content

exploit

Across Protocol takes first hit on Solana, loss lands on Risk Labs relayer

Across said its Solana deployment was attacked at ~5:30 AM UTC on July 17. Users were kept whole; the loss sits with the Risk Labs relayer. Solana deposits paused.

by 7 min read

Cross-chain bridge Across Protocol disclosed a security incident on its Solana deployment on July 17, 2026 at ~05:30 UTC, the first attack the protocol has publicly acknowledged since it launched in 2021. Per the team's own statement on X, user funds were not affected: in-flight bridge transactions completed normally and the loss was absorbed by the Risk Labs-operated relayer — Risk Labs is the foundation supporting Across and one participant in the otherwise permissionless relayer set. The team is coordinating tracing with SEAL 911 and has flagged three attacker-linked addresses (one on Solana, two on Ethereum). Solana deposits are paused; every other bridge route is running normally. Primary reference is Across's own X account and follow-up thread; independent reads on the incident include The Crypto Times and Bloomingbit.

What happened

At approximately 05:30 UTC on July 17, an attacker hit the Solana leg of Across. The bridge's user-facing flow — deposit on the origin chain, relayer fronts the funds on the destination chain, relayer is later repaid by the settlement layer — continued to settle transactions in-flight throughout. Users who initiated bridge orders before or during the window were paid out; the team stated that "your funds are safe and refunds will process automatically" in a follow-up post later that day.

The party carrying the loss is Risk Labs, whose relayer was the one filling the malicious orders. In Across's design, relayers are the ones exposed to spoofed-deposit or double-fill risk before settlement clears — a well-known category of bridge-relayer risk, distinct from a spoke-pool drain. Across-labelled contracts and the Solana SVM SpokePool were not reported to have been drained.

Mechanism — relayer-side risk, not spoke-pool drain

Across explicitly noted that a full post-mortem "will follow in the coming days," so the exact exploit path is not yet public. What Across has said publicly maps to a relayer-fill class of failure rather than a spoke-pool compromise:

  • User funds sitting in Across spoke contracts and reserves were not touched.
  • Bridge orders in flight were completed by other relayers — the permissionless set kept working, and the loss was contained to one operator's balance sheet.
  • Solana was the surface. The rest of the network — Ethereum mainnet, the L2s, and the newer chain integrations — kept operating normally.

The Solana leg of Across has been a known area of extra complexity since it went live in 2025. Asymmetric Research flagged a vulnerability class earlier in 2026 tied to Solana's event system, in which a bug in the SVM spoke could have allowed an attacker to spoof deposit events and trick relayers into filling orders with no real deposit behind them. Whether the July 17 incident maps onto that class or a different Solana-specific defect is what the post-mortem should settle.

Numbers block

- Protocol                : Across (Risk Labs foundation)
- Incident time           : 2026-07-17 ~05:30 UTC
- Chain(s) affected       : Solana leg only
- Party bearing the loss  : Risk Labs relayer (foundation-operated)
- User funds lost         : none reported
- In-flight bridge tx     : all completed / refunded
- Prior incident record   : none publicly disclosed since 2021 launch
- Prior cumulative volume : ~$34B bridged
- Response                : Solana deposits paused; rest of protocol live
- Tracing                 : coordinating with SEAL 911
- Flagged addresses       : 3 (1 Solana, 2 Ethereum)
- Loss size (USD)         : not disclosed — pending post-mortem
- Post-mortem timing      : "in the coming days" per the team

Impact

Across has spent four years and roughly $34 billion in cumulative bridge volume without a public exploit — that record is now broken, but broken in the least damaging shape a bridge can take: the operator that fronted capital eats the loss, not the users who trusted the bridge. That distinction matters. Bridge failure modes come in three grades — users lose funds, LPs lose funds, or the relayer/operator eats it — and the third is the one a well-designed intent-based bridge should be able to survive without contagion.

For Risk Labs, the impact depends on the still-undisclosed loss size and whether any of the three flagged addresses can be frozen at the exchange layer before laundering. For the Across DAO, the more interesting question is what the incident does to relayer economics: if operators price in "the SVM spoke can spoof me," fill fees on Solana widen, or the permissionless set thins.

For the wider bridging market, this is the second reminder in a quarter that intent-based / relayer-fronted designs shift risk from the spoke contract to the relayer's balance sheet, not away from it altogether. The user-experience win is real; the operator-side attack surface is real too, and it's where 2026 exploits have been concentrating.

Action checklist

  1. Users bridging via Across on Solana — wait for Solana deposits to be re-enabled. Any in-flight transaction from before the pause has been completed or refunded per the team; do not re-submit and do not click "help me recover" DMs or links.
  2. LPs and delegators in the Across Across-Bridge system — check whether your position is exposed to the Risk Labs relayer directly or only to the protocol-level LP pool. The public statement says the loss is on the operator, not on the shared pools, but the post-mortem is the source of truth on final allocation.
  3. Integrators and aggregators (LiFi, Socket, Rango, etc.) — audit your Across integration for the Solana leg. If your quoting layer defaults to Across on SOL-side routes, re-price on the assumption that Solana fills stay paused for at least the post-mortem window.
  4. Security researchers and SEAL 911 subscribers — the three flagged addresses (one Solana, two Ethereum) are the tracing target. Any mixer, bridge, or CEX deposit from those wallets is where recovery leverage lives.
  5. Other bridge operators (Wormhole, LayerZero, DeBridge, Circle CCTP) — the SVM event-spoofing class flagged by Asymmetric Research earlier in 2026 is the class to re-audit against, whether or not it turns out to be the July 17 vector.

Context — the bridge story since Nomad, Wormhole, Ronin and Kelp

The bridge sector has bled the most money in DeFi history — Ronin, Wormhole, Nomad, Multichain, Orbit, Kelp DAO — and the lessons from each of those have pushed protocols toward designs where the shared pool is smaller, the operators fronting capital are larger, and the honeypot at the centre of the bridge is less concentrated. Across's intent-based model is one such answer; it kept a clean record for four years and, when it did break, broke without user losses.

That is not vindication of the model — it's the model working as advertised in exactly one incident. The relevant read on July 17 is that Solana-side event-spoofing risk, flagged months earlier, is now confirmed as an operational threat class, and that the next-year bridge exploit map probably runs through relayer-side failure modes rather than through smart-contract drains. Meanwhile, Solana-specific security incidents have piled up in July alone — Drift in April ($285M), DeFiTuna on July 16 ($580k lending-pool exploit), the Cascade / Raydium incident of July 15 ($1.34M), and now Across. The chain's DeFi surface is expanding fast; the exploit surface is expanding with it.

The next read is the Across post-mortem itself: named vector, exact loss, whether recovery is any part of the plan, and whether Solana deposits come back on the same contract or a re-audited one. Whichever way that lands, the four-year zero-exploit line has ended.

Sources:

Related stories